Skip to main content

Full text of "Open Source Intelligence Books (OSINT)"

See other formats


Second Edition 


Cybervetting 

Internet Searches for 
Vetting, Investigations, and 
Open-Source Intelligence 


Edward J. Appel 



Second Edition 


Cybervetting 

Internet Searches for 
Vetting, Investigations, and 
Open-Source Intelligence 

Edward J. Appel 



CRC Press 

Taylor Si Francis Group 
Boca Raton London New York 


CRC Press is an imprint of the 

Taylor Sc Francis Group, an informa business 


Copyrighted material 



CRC Press 

Taylor & Francis Group 

6000 Broken Sound Parkway NW, Suite 300 

Boca Raton, FL 33487-2742 

© 2015 by Taylor & Francis Group, LLC 

CRC Press is an imprint of Taylor & Francis Group, an Informa business 

No claim to original U.S. Government works 

Printed on acid-free paper 
Version Date: 20140623 

International Standard Book Number-13:978-1-4822-3885-3 (Hardback) 

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been 
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the 
validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the 
copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to 
publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let 
us know so we may rectify in any future reprint. 

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, 
or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, includ¬ 
ing photocopying, microfilming, and recording, or in any information storage or retrieval system, without written 
permission from the publishers. 

For permission to photocopy or use material electronically from this work, please access www.copyright.com 
(http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, 
MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety 
of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment 
has been arranged. 

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for 
identification and explanation without intent to infringe. 


Library of Congress Cataloging-in-Publication Data 


Appel, Edward). 

[Internet searches for vetting, investigations, and open-source intelligence] 

Cybervetting : Internet searches for vetting, investigations, and open-source intelligence / 
EdwardJ. Appel, Sr. 
pages cm 

Completely revised edition of the authors Internet searches for vetting, investigations, and 
open-source intelligence. 

Includes bibliographical references and index. 

ISBN 978-1-4822-3885-3 (alk. paper) 

1. Employee screening. 2. Criminal investigation. 3. Internet searching. 4. Employee 
crimes—Prevention. 5. Computer crimes—Prevention. 6. Personnel management—Information 
technology. 7. Business enterprises—Security measures. I. Title. 

HF5549.5.E429A67 2015 

363.25’202854678~dc23 2014021634 


Visit the Taylor & Francis Web site at 
http://www.taylorandfrancis.com 

and the CRC Press Web site at 
http://www.crcpress.com 


Copyrighted material 



Contents 


Introduction.xiii 

About the Author.xix 

SECTION I BEHAVIOR AND TECHNOLOGY 

1 The Internet’s Potential for Investigators and Intelligence Officers.3 

Introduction.3 

Growth of Internet Use.4 

A Practitioner’s Perspective.12 

The Search.13 

Internet Posts and the People They Profile.16 

Finding the Needles.19 

The Need for Speed.19 

Sufficiency of Searches.20 

Notes.20 

2 Behavior Online.25 

Internet Use Growth.25 

Evolution of Internet Uses.29 

Physical World, Virtual Activities.34 

Connections and Disconnecting.34 

Notes.37 

3 Use and Abuse: Crime and Misbehavior Online.39 

Introduction.39 

By the Numbers?.40 

Online Venues.4l 

Digital Delinquency.42 

“Free” Intellectual Property.42 

The Insider.44 

Misbehavior Online.46 

Notes.46 

vii 


Copyrighted material 





























viii ■ Contents 


4 Internet Search Studies.49 

Introduction.49 

Academic Study.50 

Study Summary.51 

iNameCheck Cybervetting Case Study.54 

Notes.57 

5 Implications for the Enterprise.59 

Introduction.59 

The New User: Someone You Would Trust?.60 

Employer Liability.61 

Vetting, Monitoring, and Accountability.62 

The Evolving Personnel Security Model.65 

Notes.69 

SECTION II LEGAL AND POLICY CONTEXT 

6 Liability, Privacy, and Management Issues.75 

Liability for Service Providers.75 

Liability for Employers.77 

Accountability for Employees.79 

Notes.81 

7 Laws.83 

Introduction.83 

Constitutional Rights.83 

Statutes.85 

Federal Statutes.85 

State Statutes.89 

Federal Rules of Evidence and Computer Records.91 

International Treaties and Standards.93 

US Legislative Proposals.94 

Notes.95 

8 Litigation.97 

Introduction.97 

Internet Search Litigation.97 

Anonymity.99 

Expectation of Privacy.100 

Due Process.103 

Libel/Defamation.105 

Invasion of Privacy Torts.107 

Sanctions for Public Postings.107 

Internet Privacy for the Twenty-First Century.108 


Copyrighted material 









































Contents ■ ix 


Admissibility of Electronically Generated and Stored Evidence.Ill 

Trends and Legal Challenges to Investigative Searching.112 

Notes.112 

9 International and Domestic Principles.117 

US and International Privacy Principles.117 

Government Standards.122 

Parallel Guidance: Internet Research Ethics.125 

Notes.125 

10 Professional Standards and the Internet.127 

Introduction.127 

ASIS Standards.128 

National Association of Professional Background Screeners.131 

Association of Internet Researchers.132 

Librarians.135 

Inside and Outside the Workplace.136 

Reputational Risk, Public Affairs.137 

Bottom Line.138 

Notes.138 

11 The Insider Threat.141 

Introduction.141 

Benevolent Big Brother.143 

Notes.145 

SECTION III FRAMEWORK FOR INTERNET SEARCHING 

12 Internet Vetting and Open-Source Intelligence Policy.149 

Introduction.149 

Legal and Ethical Limitations.150 

Policy.153 

Information Assets Protection.155 

Notes.156 

13 Tools, Techniques, and Training.157 

Introduction.157 

Training Analysts.162 

Open-Source Intelligence Process.163 

Quality Control.166 

Notes.168 

14 Proper Procedures for Internet Searching.169 

Introduction.169 

Criteria.170 


Copyrighted material 








































x ■ Contents 


Security.172 

Standard Methodology.175 

Notes.175 

SECTION IV INTERNET SEARCH METHODOLOGY 

15 Preparation and Planning.179 

Introduction.179 

The Library.182 

Scope Notes.184 

Notes.186 

16 Search Techniques.189 

Introduction.189 

Internet Content.189 

The Browser.190 

The Search Engine.191 

Metasearch Engines.195 

Finding Search Engines.195 

Search Terms.196 

Social and Commercial Searching.197 

Social Networking Sites.197 

E-Commerce Sites.202 

Directories.204 

Blogs.205 

Chat.205 

Notes.206 

17 Finding Sources.209 

Introduction.209 

US Government.210 

State, County, and Local Governments.211 

Other Government-Related Sources.213 

Business-Related Sources.214 

News.215 

Web 2.0.215 

Looking Up Subscribers.219 

E-Mail.221 

Commercial Database Providers.222 

Notes.223 

18 Automation of Searching.225 

Introduction.225 

Why Automate Searching?.226 


Copyrighted material 









































Contents ■ xi 


Enterprise Search Middleware.227 

Best-in-Class Desktop Tool.229 

Investigative Search Tool Requirements.229 

A Homegrown Solution.231 

Reducing Analytical Time Using Automation.231 

Caching and Data Mining.232 

The Human Interface in Internet Investigations.233 

Notes.235 

19 Internet Intelligence Reporting.237 

Introduction.237 

Records.238 

Content.238 

Analyst’s Comments.240 

Organization and Formatting.241 

Source Citations.243 

Attribution.243 

Verification.244 

Notes.247 

20 Illicit Websites and Illegal Behavior Online.249 

Introduction.249 

Cybercrime.249 

Child Pornography and Internet Porn.250 

Unauthorized Use of Computer Systems.251 

Contraband Digital Assets.253 

Information (Cyber) Warfare.256 

Notes.258 

21 Model Cybervetting Investigative Guidelines.261 

Introduction.261 

Enterprise Strategy.261 

Model Internet Search Guidelines.263 

Authorized Internet Search (Cybervetting) Personnel.265 

Definitions to Consider.266 

Notes.2 67 

22 A Model Internet Investigation Policy.269 

Introduction.269 

Key Considerations.270 

Higher-Risk Candidates.270 

Application Procedures and Forms.271 

Legal Issues.272 

Confidentiality.273 


Copyrighted material 











































xii ■ Contents 


Ethics in Investigations.273 

Disciplinary Action.274 

Model Forms for Candidates.274 

Notes.276 

23 A Model Internet Posting Policy.277 

Note.279 

24 Internet Intelligence Issues.281 

Introduction.281 

Privacy.281 

Smoking Guns.283 

Completeness of Internet Searching.284 

Adjudication.285 

Conclusion.286 

Notes.287 

Index.289 


Copyrighted material 


















Introduction 


At the March 2014 RSA Conference in San Francisco, the usual discussions of the 
need for robust cryptography and sound computer functions to protect business 
and government were eclipsed by startling revelations by Edward Snowden, the 
National Security Agency (NSA) low-level contractor who copied a large quantity 
of top-secret files and gave them to the media and WikiLeaks, fleeing to Russia. 1 As 
Booz Allen Hamilton vice chairman Mike McConnell (former NSA director) said, 
“Snowden has compromised more capability than any spy in U.S. history ... and 
this will have impact on our ability to do our mission for the next 20 to 30 years.” 2 
Leading thinkers in cyber security at the conference, including Richard Clarke, 
Howard Schmidt, Scott Charney, and Bruce Schneier, ruminated about NSA spy¬ 
ing revelations, the need to strengthen private-use cryptography, public-private col¬ 
laboration on computer systems security, alternatives to US surveillance, and the 
implications that built-in flaws in information technology (IT) both empower and 
debilitate cyber security. 

In the second edition of this book, it has been necessary to rewrite most of 
the first editions content, so profound have been the changes since late 2010 in the 
Internet, cyber war, cyber security, cyber attacks of all kinds, social use of com¬ 
puters, and the World Wide Web—and enterprise inability to defend against or 
cope with all of these. Ubiquitous wireless connectivity, cheap data storage (both 
local and “in the cloud”), proliferating online devices, mass social networking, 
and seemingly ever-receding privacy are among the profound changes. In a way, 
Snowden s revelations appear to lack the “wow factor,” when Anonymous and many 
other “hacktivists” claim to have penetrated every important government and busi¬ 
ness network, and major retailers, media outlets, utilities, government agencies, 
and Internet service providers admit almost daily to breaches jeopardizing millions 
of users. For public and private enterprises, IT has enabled improved efficiencies 
but has introduced increased levels of complexity and vulnerability that—at least 
25 years into widely networked computing—still present a daunting challenge for 
enterprise and personal security. 

Some of the more evident observations about the current phase of the Internet 
age are the growing dependence of Western society on networked systems for all of 


xiii 


Copyrighted material 


xiv ■ Introduction 


our critical infrastructures and our inability to protect them. While our military 
attempts to prepare for cyber war, its inability to defend us against cyber attacks 
by virtually anonymous state actors presents a striking contrast with the physically 
strongest armed forces on the planet. To paraphrase Lenin, we have fashioned the 
rope with which we can be hung. Black-hat hackers, cyber espionage, and cyber¬ 
crime appear to be able to overwhelm our private, business, and public systems. 
Ironically, while governments develop cyber weapons to enable them to wage and 
defend against cyber war, they are contributing to the cyber attackers’ arsenals 
of hacking tools, which in their increasing sophistication enable growing groups of 
“script kiddies”—those with intent but few programming skills—to carry out 
attacks online. As we approach 25 years of widespread Internet use, we have yet to 
master how to plug the holes we created. 

Individuals have also swallowed the same pills of technology that were adopted 
for government and business use and are nearly all connected 24-7 via the Internet on 
wireless, search-enabled devices by which they are constantly distracted, informed, 
empowered, and debilitated. Host networks and institutions are conflicted, needing 
to adopt the latest systems, but unable to fully defend them against error and mali¬ 
cious attacks. As the Great Recession of 2008 recedes slowly behind us, employers 
are in a strong position to demand accountability from employees and candidates, 
yet appear largely unable to do so if the use of computers is concerned. Human 
resources, legal, IT, and security functions have not yet fully grasped and integrated 
the implications of personal computing habits into enterprise systems architecture. 
Instead, each stage in the evolution of networked workers is a crisis to be addressed: 
bring your own device, connect at work, store personal data and contraband in work 
servers, use employers’ Internet portals for personal web surfing, copy enterprise 
applications and data for personal purposes, freely express anti-employer sentiments 
on both intranet and Internet channels, and post impulsively for humor, harass¬ 
ment, or any private reason at all. Online activities at most employers are expected to 
include at least some personal Internet time in every workday. All of these examples 
can create nightmares for enterprise IT security and management. 

As Stewart Baker, former NSA general counsel and assistant secretary of the 
Department of Homeland Security has noted, privacy will become a luxury avail¬ 
able to the privileged and rich as we balance privacy rights with security concerns. 
He does not worry so much about government surveillance, after 60 years of IT 
growth, as he does about private-sector and black-hat hacker (e.g., Anonymous) 
abuse and cyber warfare. 3 Protecting society as emerging technology presents 
increased risks and vulnerabilities will demand the sacrifice of privacy, as we 
struggle to adopt effective security measures. Similarly, Richard Clarke, antiterror¬ 
ism and cyber security coordinator for several US presidents, predicted that cyber 
attacks, both by nation-states and criminals, will result in additional billions of dol¬ 
lars in losses and could even become outright cyber war, waged by such nations as 
China and Iran. 4 Clarke noted that we cannot defend ourselves successfully against 
a cyber attack, especially when we cannot prove who conducted it. 


Copyrighted material 



Introduction ■ xv 


As we confront the dangers, as well as the great opportunities presented by nearly 
ubiquitous all-the-time computing, it seems that privacy will remain a key unre¬ 
solved (perhaps unresolvable) US Internet issue. However, even with the increased 
emphasis on individual control over personal data, Americans (particularly the 
young) appear prone to expose more of themselves online than ever before. Perhaps 
the desire for free online services (such as the collection by Google and Yahoo of 
user information to facilitate marketing) outweighs discretion. Like its employ¬ 
ees, contractors, and customers, the American enterprise appears to believe that 
more exposure is better, and both businesses and governments have embraced social 
networking and websites as necessary means of interaction and transactions. The 
competing philosophies of exposure and protection of information only seem to tilt 
toward more security when disaster strikes, and then the expense and complexity 
of assurance—for a time—are accepted as costs of doing business. Because an esti¬ 
mated average of 10 million Americans face identity theft issues yearly, 5 it is time 
that they understood that institutions face similar challenges of balancing security 
with freedom. 

A key concept of critical infrastructure protection, which appears to lack accep¬ 
tance even after years of learning, from President Reagan s time to the present, is 
the need to ensure that each individual meets the standards of the agency or busi¬ 
ness and is held accountable for carrying out his or her role in security. If the words 
human resource (HR) or human capital have meaning beyond mere “personnel,” 
it is that the right people, carefully chosen and fully supported, make a success¬ 
ful enterprise. However, paralysis and low budgets among the key actors in HR, 
legal, security, and IT departments often cause insufficient vetting (both before and 
after hiring); overreliance on technical measures to protect systems, networks, and 
data; and insufficient investment in employee orientation, training, supervision, 
mentoring, and monitoring to ensure information assurance. Because nearly every 
organization is dependent for its existence, operations, and progress on its informa¬ 
tion systems, even one malicious insider constitutes an unacceptable risk. At a time 
when corporations hoard cash and ignore the critical value of the individual insider, 
it is not surprising that catastrophic failures occur. 

Annual reports by a range of public and private institutions chronicle the state 
of cyber security and the trends in motion. A large number of such reports were 
reviewed in the preparation of this book, some of which are end-noted. While 
I remain skeptical of the reliability and specific value of the statistics in cyber secu¬ 
rity reports, like the river flowing green in Chicago on St. Patricks Day, one does 
not need to know how many gallons of coloring, by whom, or where the green dye 
was injected to observe that the river is now green. The state of our cyber security is 
unacceptably low. Unless we address the human factor, it will remain so. 

This book is dedicated to intelligence, investigative, and research professionals 
who utilize the Internet in their duties, are of varying ages and technical capa¬ 
bilities, and may be constantly online or only search the Internet sporadically. 
Technology and societal changes require that all investigators adapt rapidly, and 


Copyrighted material 



xvi ■ Introduction 


continually learn what is available, to collect online. Some institutions, businesses, 
and other organizations adapt more slowly than others. The law (statute, litigation, 
regulation) is also deliberate in addressing technological and social change. Because 
this book is about Internet intelligence methodology and legal frameworks, it is 
also about how to approach changes. Every effort has been made to keep this text 
forward looking, timely, useful, and adaptable to likely outcomes. 

Open-source intelligence increasingly relies on fusion of data from all-source 
collection and analysis, with Internet data included. Such intelligence is a vital part 
of national security, competitive intelligence, brand protection, marketing research, 
benchmarking, and background vetting. Without items posted online, an investi¬ 
gative report on any topic may not be timely or complete or include the basis for 
reliable predictions and trends, visualization, geolocation, and statistical analysis. 

To enable collection of data documented on the Internet, it is important to 
understand the legal and privacy principles necessary to keep Internet searches law¬ 
ful, fair, equitable, and transparent, especially for cybervetting (background inves¬ 
tigations incorporating online information). 

This book was written to advocate improved security measures and establish 
guidelines for adopting Internet searches, including cybervetting, conducted as 
part of investigations and intelligence collection, with legal, policy, and procedural 
principles and methods suitable to the purpose. The guidance here should help 
both the government and private sectors, lawyers, and investigators of all kinds 
to apply the right techniques and thereby significantly improve their practices. 
Likewise, this book is meant to help investigative professionals develop the core 
skills and techniques to exploit the many, quickly growing resources available on 
the web on every topic imaginable and to integrate them into analytical processes 
that are useful in academic, professional, and personal life. 

It is hoped this second edition can be used to learn or review cybervetting meth¬ 
ods, explore legal frameworks for Internet searching as part of investigations, assist 
in integrating cybervetting into existing screening procedures, or find resources on 
these topics. 


Notes 


1. See https://search.wikileaks.org/search?q = snowden; Gellman, Barton, Edward 
Snowden, after months of NSA revelations, says his missions accomplished, Washington 
Post , December 23, 2013 (accessed April 29, 2014); and NPR summary, http://www. 
npr.org/search/index.php?searchinput=%22edward+snowden%22. 

2. King, Rachael, Ex-NSA Chief Details Snowdens Hiring at Agency, Booz Allen, Wall 
Street Journal , February 4, 2014. 


Copyrighted material 



Introduction ■ xvii 


3. Baker, Stewart, Why Privacy Will Become a Luxury, video interview, http://live. 
wsj.com/video/stewart-baker-why-privacy-will-become-a-luxury/10DB86DC- 

26F3-4634-A665-764l9E9D06D4.html#!10DB86DC-26F3-4634-A665- 
76419E9D06D4 (accessed April 29, 2014). 

4. Clarke, Richard, Economist interview, http://www.youtube.com/watch?v = 
6_ek8mugOUc (accessed April 29, 2014). 

3. FTC Consumer Sentinel annual fraud and identity theft reports, http://www.ftc.gov/ 
enforcement/consumer-sentinel-network/reports (accessed April 29, 2014). 


Copyrighted material 



Copyrighted material 



About the Author 


Edward J. (Ed) Appel, Sr., is owner-principal of iNameCheck, a boutique private 
investigative, consulting, and training firm. Ed is a retired FBI special agent and 
executive, specializing in counterintelligence and terrorism, and served as director, 
Counterintelligence and Security Programs, National Security Council, the White 
House. Besides consulting for private industry and government, Ed served as vice 
president, CertCo (digital security); security director, Level 3 Communications 
(fiber-optic telecommunications); and president, Joint Council on Information 
Age Crime (a public-private nonprofit). He previously volunteered on the ASIS 
(formerly American Society ol Industrial Security) International Law Enforcement 
Liaison Council and founded the International Association of Chiefs of Police 
Computer Crime and Digital Evidence Committee. He co-authored the (IACP)- 
Defense Personnel Security Research Center (PERSEREC) study Developing a 
Cybervetting Strategy for Law Enforcement and its companion for National Security; 
edited the Guide for Preventing and Responding to Information Age Crime , 2001; 
authored Insider Threat Mitigation through Improved Information Systems Security 
in DOD Environments, PERSEREC, 2005; authored Computer-Related Crime 
Impact: Measuring the Incidence and Cost, 2003; was author/lecturer, Executive 
Security Management Course, Northeastern University, 2005, The New World of 
Digital Evidence, Northeastern University, 2007, and Computer Crime and Digital 
Evidence; edited and co-authored Report on the Digital Evidence Needs Survey of 
State, Local and Tribal Law Enforcement, National Institute of Justice, Department 
of Justice, 2005; Mitigating the Insider Threat, Department of Homeland Security, 
2005; a Digital Evidence Awareness, Search and Seizure course for law enforce¬ 
ment, 2004; and wrote numerous unpublished government-sponsored classified and 
unclassified counterintelligence and counterterrorism studies, lectures, and papers. 
Ed is a graduate of Georgetown University, the Defense Language Institute, and 
the National Cryptologic School, and taught at the FBI Academy and as visiting 
lecturer at such institutions as Carnegie-Mellon, MIT Lincoln Labs, Georgetown 
University, and Johns Hopkins University. 


xix 


Copyrighted material 


Copyrighted material 



BEHAVIOR AND 
TECHNOLOGY 


When I took office, only high energy physicists had ever heard of what 
is called the World Wide Web. ... Now even my cat has its own page. 1 

Since the early 1990s, profound changes have taken place in Internet use, pat¬ 
terns of behavior involving information systems, and the quantity and availabil¬ 
ity of data online. Meanwhile, an increasingly serious challenge to enterprise and 
information security in agencies and businesses and for individuals is posed by 
these changes. Among the personnel security and counterintelligence implications 
of these changes is the need to prevent, detect, and respond to illegal behavior on 
an employers system and on personal systems that implicate an employer; pose 
a threat to people, assets, or information; or threaten an institutions reputation. 
Along with the threat comes an opportunity, as the Internet provides increasingly 
rich resources to address risks online. 

Evidence of illicit and illegal behavior on the public Internet by employees 
could expose an employer to significant and unforeseen liabilities and damages. 2 
Although the world seems to agree that the employer has the right to monitor and 
control enterprise systems, which are, after all, the employers property, users are 
able to compromise enterprises through misuse of not only their employer s com¬ 
puters but also their personal devices and have been known to do so on the public 
Internet. Failure to consider online behavior by employees, candidates, and others 
connected with an enterprise (e.g., contractors, partners, and customers) can result 
in serious vulnerabilities. Similar implications apply to any person or entity of con¬ 
cern to decision makers, such as executives, competitors, products, and the latest 
developments. 3 For investigators, intelligence analysts, and researchers, the Internet 
has reached the stage at which it is more likely than not to provide valuable infor¬ 
mation on any topic. 


Copyrighted material 


2 ■ Behavior and Technology 


In this section, the need for Internet searching for investigations, including vet¬ 
ting and intelligence, is explored. 


Notes 

1. Clinton, Bill, Excerpts from Transcribed Remarks by the President and the Vice 
President to the People of Knoxville on Internet for Schools, The White House, Office 
of the Press Secretary, October 10, 1996, http://govinfo.library.unt.edu/npr/library/ 
speeches/1 01 096.html (accessed August 6, 2010). 

2. SANS on Internet security, http://www.sans.org/reading_room/; NIST Computer 
Security Resource Center, http://csrc.nist.gov/; US Department of Justice, Computer 
Crime and Intellectual Property Section Internet Security resource list, http://www. 
cybercrime.gov/linksl .htm#ISSRb. 

3. Dam, Kenneth W., and Lin, Herbert S., editors, Cryptography's Role in Securing the 
Information Society , National Research Council (Washington, DC: National Academy 
Press, 1996); Schneider, Fred B., editor, Trust in Cyberspace , National Research Council 
(Washington, DC: National Academy Press, 1999); Lewis, James A., project direc¬ 
tor, Securing Cyberspace for the 44th Presidency, a Report oj the CSIS Commission on 
Cybersecurity for the 44th Presidency (Washington, DC: Center for Strategic and 
International Studies, December 2008); O’Harrow, Robert, Jr., No Place to Hide (New 
York: Free Press, 2005). 


Copyrighted material 



Chapter 1 

The Internet's Potential 
for Investigators and 
Intelligence Officers 


Introduction 

Ihe Internet is a global electronic communications system that connects computer 
networks and all types of organizations’ computer facilities around the world. 1 
Standard Internet protocols (IPs) are used for electronic, optic, wired, and wire¬ 
less connections for several billion users of telecommunications services. Hypertext 
documents, music, and videos, for example, are exchanged on the World Wide Web, 
which has made the words web and ;^more or less synonymous with the Internet. 

By design, the Internet is “public.” Incredible quantities of data on the Internet 
are available to anyone with a computer and a browser. Some websites limit access 
to hosted data in various ways, and some allow the individual posting informa¬ 
tion to invoke privacy restrictions on unauthorized access. If no limitations apply, 
posted information is open to the public. Some websites require users to register 
to gain access to data, but registered users are not restricted in their use of the 
site’s data, within its authorized use policy (AUP) and applicable copyright and 
trademark law. Therefore, on a great number of sites, the posted information could 
be deemed public even with access limitations. AUPs on some sites prohibit cer¬ 
tain uses of hosted information, such as for commercial purposes or marketing 
(e.g., spam, unsolicited commercial e-mail). Advanced computer users (“hackers”) 
might be able to bypass programs restricting access and illicitly view, copy, delete 
or alter data, or reprogram servers online. Users often must agree to abide by AUPs 

3 


Copyrighted material 


4 ■ Cybervetting 


to gain access to websites, but enforcement of AUP violations is predominantly rare 
and ineffectual. 


Growth of Internet Use 

The Internet and World Wide Web were created to facilitate communications 
and exchange of government and private-sector research information. Starting 
in the early 1990s, the Internet began a process of rapid expansion, in terms of 
linked computers, users, types of devices, data accessibility, and activities taking 
place online. The global network of networks has continued to grow, and with 
the addition of wireless connectivity and processing power in cell phones, tablets, 
and other portable devices, the Internet has permeated every facet of society—the 
“information society” in global parlance. 2 Studies of American Internet usage by 
the Pew Internet and American Life Project chronicle the fact that living life online 
has rapidly become a habit for about 85% of the US population, with younger, 
better-educated, and more well-to-do individuals more likely to be Internet users. 3 
About 2.4 billion people of 7 billion worldwide are online, meaning that global 
Internet use has grown by 566% since 2000 (as of June 3, 2012). 4 

Diversity of Internet use has fueled growth, as has addition of IP-connected 
devices. Marketing and news reporting, social networking, entertainment (music, 
video), government services, and research have helped spur rapid expansion. 
Bandwidth provided by fiber-optic, cable, satellite, and wireless networks has 
enabled enhancements to the capabilities of public safety, communications, and 
data-sharing services that are viewed as vital to society. Both paid services (e.g., 
Internet-TV-phone, films, games online) and free access (e.g., Internet search, news, 
music, videos, tax returns, county records) supported by advertising, fees, and 
agency budgets have expanded industries’ and governments’ automated services. 
Services “in the cloud” (i.e., on servers accessible online) are in a steep growth curve, 
spurred by the need for access from multiple devices and locations to voluminous 
data, applications, and computing power offered by providers to industry, govern¬ 
ments, and individuals. As a result of this growth, Cisco reported that “Global IP 
traffic has increased fourfold over the past 5 years, and will increase threefold over 
the next 5 years. Overall, IP traffic will grow at a compound annual growth rate 
(CAGR) of 23 percent from 2012 to 2017.” 5 Cisco said that expansion of mobile 
devices, data centers “in the cloud,” and bandwidth-intensive, multidevice Internet 
use will accelerate IP traffic volume over the next 5 years. 6 Website host growth also 
reflects net expansion. 

The charts in Figures 1.1 to 1.4, which should be interpreted as high-level esti¬ 
mates, show recent and projected Internet growth. 

Pew’s 2008 study of networked workers 8 revealed some interesting trends 
in American workplaces and homes; among these are that government workers 
are more likely to use the Internet or e-mail daily at work (72%), and 62% of 


Copyrighted material 



The Internet's Potential for Investigators and Intelligence Officers ■ 5 



\o 

a> 

* 

as 

as 

\0 


as 


as 



3 

o 

00 

in 

IN 


V0 

o 

O 


C/5 


in 


i-H 

cd 

H 

o 


O 


<3 

H 


dh 

CN 


i-H 

i-H 


o 


D 

o 








^H 



CN 

as 

as 

aS 

s? 



as 

as 


JO 


o- 

On 


ON 

CO 

oo 

IN 




CN 

| 

vd 

i—H 

cd 

ON 

cd 

o 

00 

vd 


o 


ON 

CO 

in 


i-H 

VO 


O 

u 

O 

vq 

00 

CO 

vq 

rH 

CO 

CN 

un 


U 

o 

o 

CO 



CN 







CN 












as 

\p 

as 



as 

as 

as 


r- 

£ 

VO 

LO 

CN 

CN 

VO 

ON 

VO 

CO 


o 

_o 

LO 

IN 

cd 

o 

00 

CN 

N 



4-4 

4-4 

Cd 

*-H 

CN 

VO 


IN 


VO 

CO 


cd 











u 

3 










O 

a 










c 

o 










<D 

CU 









1/5 

CU 

as. 









X* 











(A 











4-> 











O 

C/5 


vo 

On 

ON 

in 

CO 

LO 

ON 

vo 


S-i 

cd 

[>• 

LO 

o 

in 

i-H 


i-H 

IN 

o 

C/5 

D 

VO 

o 

i—H 



N 

ON 

CO 

C 

cd 

ud 

1—H 

CN 

o' 

ud 

ud 

IN 

oo” 

o 

Q 

CO 

oc 

i—H 

o 

oo 

f—< 

oo 

i-H 


4-4 


CO 

vO 

in 

o 

IN 

ON 

CN 

in 

JJ 

<D 

r- 

C/5 

rd 

VO 

oo” 

o 

cd 



ud 

3 

u* 

o 

4-4 

vo 

IN 

i-H 

ON 

N 

un 

CN 

o 

& CN 

0 

0) 

4-4 

c 

Cd 

H 

i-H 


in 


CN 

CN 


CN 

CLi O 











§ 8 

C/5 


o 

O 

CO 

o 

O 

ON 

O 

CN 

O 

5-4 

o 

o 

o 

ON 

o 

o 

i-H 

00 

ON 

OD ^ 

5 § 

o 

C/5 

D 

o 

o 

CN 


o 

©^ 

vd 

00 

oq 

vd 

oi 

00 

^1 

o” 

ud 


1—H 

o 

ON 

00 

On 

VO 

CN 

oo 

D 

4-4 

|—H 

in 

CO 

©^ 

CN 

O^ 

o^ 

vq 

ON 

•M 

o 

£ 

CO 



in 

cd 

00 

oo” 

in” 

o” 

o 

S_ 



i—H 

o 


O 

i—H 


VO 

d 

o> 

u 


i—H 

i—i 


H 



CO 

S-l 

4-» 

0) 









O 

rj 

Q 









+4 











d 






















2 



in 

IN 

VO 

CO 


00 

ON 

CN 

T3 



CN 

00 


o 

LO 

CO 

VO 

CN 

o 

£ 


ON 

ON 


CN 

i—H 

vq 

in 

ON 


_o 

4-4 

C/5 

o 

vO 

oo” 

CO 

o' 

oo” 

cd 

vo” 


\3 

w 

00 

VO 

*—i 

o 

oo 

00 

o 



cd 

CO 


ON 

vq 

CN 

vq 

ON 

00^ 


3 

CN 

cd 

CN 

o' 

cd 

00 

cd 

ud 

IN 


a 

o 


CN 

CN 

CN 


ON 

CO 

i-H 


o 

CN 

© 

ON 

00 

CN 

CO 

in 


<q 


a. 


i-H 

CO 






rd 









£ 











cd 











<D 
















C/5 






-O 





£ 






'£ 





_o 

’5b 

<D 

cs 

2 

5-4 




4-4 

C/5 

C3 

aJ 

'u 

0) 

£ 

cd 

u 

cd 

_u 

’t4 

<u 

.2 

Id 

u 

4-» 

C/5 

3 

< 

J 

< 

H 

0 

H 



O 

cd 

u 

Asia 

CL) 

a 

W 

2 

3 

M 

< 

X 

4-4 

£ 

< 

£ 

.2 

£ 

cd 

Q 

X 

Cs 5 




< 

CJ 

5-4 

3 

w 

i 

^4 

O 

‘-3 

cd 

hJ 

0 ) 

u 

o 

0 


Cl 

O 

o 

o 

o 

CN 

V 

u 

.E 

*c7! 

* 

o 

vO 

if) 

£ 

r: 


O 

x. 

o 

E 

c 

$ 

o 

X. 

00 

<A 

rS 

-£ 

01 

c/> 

3 

3 

C 

x. 

O 


n 

-C 

_o 

OJD 

ca 

13 

(7! 

2 

X. 

O 

<: 

% 

£ 

x. 

QJ 

£ 

-Q 

"C 

u 

_o 

"o 

u 

ft 

13 

"O 


00 

£ 


O 

U 

U 

< 



DC O 

IZ z 


Copyrighted material 

















The Internet's Potential for Investigators and Intelligence Officers ■ 7 


Demographics of Internet Users 

% of adults in each group who use the Internet (the number of respondents in each group 
listed as “n”for the group) 


Use the Internet 

All adults (n = 2,252) 

85% 

a 

Men (n = 1,029) 

85 

b 

Women (n = 1,223) 

84 

Race/ethnicity 

a 

White, Non-Hispanic (n = 1,571) 

86 c 

b 

Black, Non-Hispanic (n = 252) 

85 c 

c 

Hispanic (n = 249) 

76 

Age 

a 

18-29 (n = 404) 

98 bcd 

b 

30-49 ( n = 577) 

92 cd 

c 

50-64 (n = 641) 

83 d 

d 

65+ (n = 570) 

56 

Education attainment 

a 

Less than high school (n = 168) 

59 

b 

High school grad (n = 630) 

78 a 

c 

Some college (n = 588) 

92 ab 

a 

College + (n = 834) 

96 abc 

Household income 

a 

Less than $30,000/yr (n = 580) 

76 

b 

$30,000-$49,999 (n = 374) 

88 a 

c 

$50,000-$74,999 ( n = 298) 

94 ab 

d 

$75,000 (n = 582) 

96 ab 

Urbanity 

a 

Urban (n = 763) 

86 c 

b 

Suburban (n = 1,037) 

86 c 

c 

Rural (n = 450) 

80 


Source: Pew Research Center’s Internet & American Life Project Spring Tracking Survey, April 17- 
May 19, 2013. n = 2,252 adults. Interviews were conducted in English and Spanish and on 
landline and cell phones. Margin of error is ±2.3 percentage points for results based on 
Internet users. 

Note: Percentages marked with a superscript letter (e.g., a ) indicate a statistically significant differ¬ 
ence between that row and the row designated by that superscript letter, among categories of 
each demographic characteristics (e.g., age). 


Figure 1.4 Pew Research consistently provides the most useful profiles of 
American Internet use. As this profile shows, nearly everyone is online (see Note 3). 


Copyrighted material 



8 ■ Cybervetting 


all workers do. About 42% of workers do some work at home, but 56% of net¬ 
worked workers do some work at home. This poses obvious security concerns as 
data moves between workplace and home. The mobility of employees in the work¬ 
force and the proclivity of some to keep copies of proprietary information to which 
they gain access on the job are only two of many data protection issues. 

It appears that the vast majority of Internet users (Figures 1.5 and 1.6) enjoy 
many types of nonbusiness activities, from e-mail and texting to games, dating, 

Online 

100 % 

90% 

80% 

70% 

60% 

50% 

40% 

30% 

20 % 

10 % 

0 % 

12 to 17 18 to 29 30 to 49 50 to 64 65+ 


Figure 1.5 Pew's 2009 studies showed that almost all young people are online; 
most older people are as well. 


100 % 

90% 

80% 

70% 

60% 

50% 

40% 

30% 

20 % 

10 % 

0 % 


Employed who use the Internet 



18 to 29 30 to 49 50 to 64 65 + 


Figure 1.6 Pew's 2008 study of networked workers showed that most employees 
go online (see Note 8). 


Copyrighted material 


The Internet's Potential for Investigators and Intelligence Officers ■ 9 


news, and blogging. Increasingly, people are looking to the Internet for entertain¬ 
ment, including films, videos, music, TV, and applications that they can access 
for free or at low cost. Declining revenues at television networks, newspapers, and 
publishing houses testify to the shift from TV and print to online media. But, 
enjoyment of the virtual world has brought about a large-scale change in society’s 
views about intellectual property rights. Copyrighted movies, music, publications, 
and software are traded openly over Internet sites specifically designed to deter 
criminal investigations and to facilitate transfer of goods without royalty to produc¬ 
ers, such as by peer-to-peer networks. 9 Departing employees often take proprietary 
data from employers, as 50% of those surveyed admitted to a Ponemon Institute- 
Symantec survey. 10 Are users of fee-free films, music, and software more likely to 
misappropriate their employer’s digital intellectual property for their own use? 

One of the more fascinating aspects of computers and the Internet from a 
behavioral point of view is whether the use of such technology has changed how 
people act, and if so, the implications. In just two areas, child exploitation and 
fantasy games, disturbing trends have become visible (if not yet fully understood). 
For almost 25 years, child pornography, solicitation of minors by predators, and 
illicit group activities centered on sexual exploitation of children have dominated 
the computer crime and digital evidence efforts of federal, state, and local US law 
enforcement. 11 “Massively multiplayer online role-playing games” and other fantasy 
games, like Second Life , allow players to live an alternate existence, complete with 
the option to commit virtual and actual criminal acts with no real-world conse¬ 
quences. Not surprisingly, crimes like money laundering have already invaded vir¬ 
tual reality games. Even some video games focused on crime (Grand Theft Auto) and 
warfare {Fantasy Wars , the Halo series) may encourage players to act out violently or 
criminally. Tie wide popularity of child porn and even wider popularity of fantasy 
may or may not portend new neuroses or inclinations to commit physical criminal 
acts, but some psychologists and psychiatrists have expressed concerns. One of the 
world’s oldest professions, prostitution, occupies its place in e-commerce, 12 along¬ 
side drug distribution facilitated by “anonymous” payments online. 13 

Some concerns raised about online habits do not relate to crime or misbehavior 
but rather to such topics as users’ cognitive ability and attention span. A recent Pew 
study 14 suggested, among other things, that “there will be some teens and young 
adults who will suffer cognitive difficulties from unhealthy use of the internet, Web, 
social media, games, and mobile technology.” The point of including this specula¬ 
tive prediction is that many purposes for cybervetting exist beyond finding evi¬ 
dence of illicit or illegal behaviors online. Failure to address users’ online habits 
avoids consideration of training and orientation to overcome the users’ undiscov¬ 
ered handicaps when they are hired. 

While federal agencies have created, expanded, and reorganized units to deal 
with crime online and digital evidence, state, local, and tribal police have struggled 
and are inundated with cases. The volume and variety of digital evidence—often 
including terabytes of documents, texts, photos, and videos in various formats from 


Copyrighted material 



10 ■ Cybervetting 


many different types of devices—has become daunting to forensic specialists and 
street investigators alike. Yet, the opportunity presented by ubiquitous digital evi¬ 
dence and intelligence, from cell phones to computers to tablets to memory devices 
to social networking, can be wonderful for law enforcement and intelligence. The 
investments required in expertise and technology appear to lag behind, while 
crime, including external attacks to computer systems and online frauds, threatens 
the safety and security of the systems themselves. 15 

Digital evidence is not confined to the devices used in criminal acts (which are 
instruments of the crime) but often can be found in the network logs of Internet 
service providers (ISPs), telecommunications companies, and computer systems 
hosts. Internet-based digital evidence can be transient and remote, including data 
stored abroad, where records' unavailability to US law enforcement may protect 
foreign cybercriminals. International cybercrime agreements have recently been 
strengthened to attack such problems. Sadly, it appears that today only a small 
minority of Internet criminals are being identified and prosecuted. Cybercriminals 
also appear to pose a new threat to society in the form of potential insiders, working 
in government, business, or academia while committing crimes anonymously on 
intranets and the Internet. 

Although most Internet users stay well within legal bounds, recent expansion of 
Internet use and the quantity and types of systems and data available have created 
an opportunity and a necessity for cyber background vetting, investigations, and 
open-source intelligence of all types. An interesting phenomenon accelerating the 
popularity of the Internet is the evolution of search engines, with Google dominat¬ 
ing the field over rivals, including Yahoo, Microsoft’s search engine Bing, AOL, and 
Ask. Consolidation of search engines is inevitable and is ongoing, as Google and Bing 
(essentially the tool used by Yahoo) divide the search function for most US users, 
and a Chinese search engine that is popular in the People’s Republic of China. 
The usefulness of Internet searches is aptly measured in the billions of dollars of 
Google stock value, as well as Google’s expansion into offering applications, online 
storage, e-mail, computers, and more. “The ultimate search engine would basically 
understand everything in the world, and it would always give you the right thing. 
And we’re a long, long ways from that,” said Google co-founder Larry Page. 16 

Yet, searching has become essential to those online. Internet users, including 
investigators, human resources staff, attorneys, and everyone else involved in assess¬ 
ing people in the workplace, are apt to conduct searches when they believe it is 
potentially useful. Today, that includes googling applicants, co-workers, superiors, 
subordinates, and just about anyone else deemed interesting. Although most orga¬ 
nizations wait to consider the right (ethical, fair, effective) way to include Internet 
vetting in personnel processes, the staff has already adopted their own policies, 
procedures, and methods for inquiring into individuals’ online presence. 17 Many 
employers use the Internet as a part of the application process, requiring candidates 
to fill in online application forms and communicate at least in part online during 
preemployment processing. Automation not only makes the process potentially more 


Copyrighted material 



The Internet's Potential for Investigators and Intelligence Officers ■ 11 


efficient, accurate, and timely but also can allow candidates a greater measure of 
control and understanding of the various stages (e.g., declaration of interest, formal 
request to be considered, presentation of credentials, competitive evaluation, inter¬ 
view, conditional offer of employment, background investigation, adjudication). 18 

The personally identifying information exchanged in the background review 
process is sensitive and should be protected to ensure applicants’ privacy. Employers 
conduct background investigations to verify the applicants background and deter¬ 
mine the candidates eligibility, suitability, qualifications, and trustworthiness and 
compare the competitive attributes of prospective employees, existing employees, 
and candidates for clearance or promotion. Traditionally, within federal and state 
laws, employers verify the facts on a resume and application, including checks of 
identity, residences, education, prior employment, arrests, convictions, civil suits, 
bankruptcies, legal sanctions, and similar indicators of past behavior, either in- 
house or through background investigation firms. Because past behavior is the 
single most reliable indicator of future behavior, a candidates track record often 
provides the most convincing evidence of the likelihood of success in his or her 
new position. Likewise, a record of past misbehavior may indicate that the candi¬ 
date would be likely to fail; to cause a loss to the new employer; to pose a threat to 
people, assets, and information in the workplace—or simply be less qualified than 
rival candidates. 

Internet activities have become a new “neighborhood,” where people are likely 
to have posted information, to be recorded in directories and other online data¬ 
bases, and to have been the subject of postings by other people. Scores of fed¬ 
eral, state, and local records are available online, including criminal and civil court 
records, residence and telephone directories, employer websites, business directo¬ 
ries, professional associations, and similar files accessible from the Internet. Some 
of the data available on the public Internet include text, photographs, video, audio, 
and media records that chronicle serious misbehavior by individuals. 19 Past inves¬ 
tigations for government clearances often included “neighborhood investigations,” 
where those living near a candidate were canvassed for information about the can¬ 
didate. Government hiring standards specify the factors used to determine eligibil¬ 
ity and establish knowledge, skills, and abilities, providing the evidence needed 
to offer employment, grant clearances, and document suitability for the job. All 
investigative steps may uncover derogatory information that could disqualify a 
candidate or make candidacy less competitive than others. Over the past several 
decades, the neighborhood investigation (although still carried out) has produced 
less information of value than previously. 20 Not only are neighbors less likely to 
share derogatory observations about the candidate, but fewer neighbors are likely 
these days to even know the person, [his is particularly true because many peo¬ 
ple move frequently and reside in multifamily structures or neighborhoods where 
social contact is minimal. 

One concern raised by those with objections to cybervetting is that factors that 
could be used to discriminate against a prospective candidate might be discovered 


Copyrighted material 



12 ■ Cybervetting 


or documented online (e.g., Title VII attributes like sex, race, nationality, religion, 
etc.). Many such factors are perceptible to those processing applicants from sources 
other than the Internet. There is no valid inference that mere knowledge of such a 
factor resulted in discrimination. However, the process of documenting results of 
cybervetting may be critical to remove doubt that discrimination may be present in 
the adjudication of background investigation results, regardless of the sources used. 

Today, an individual’s social circle may not be defined as much by geography 
as it is by electronic connectivity. Using social networking websites, instant mes¬ 
saging, and similar connectivity, people are likely to exchange information about 
themselves by posting it online or sending it (illustrated with photos, video, and 
sound) to a list of friends and acquaintances located nearby or far away—or to any 
of several billion Internet users who care to look. The profiles created often include 
peccadilloes, problems, and misbehavior unlikely to have been communicated or 
documented electronically in a previous era. 21 To address publicly posted evidence 
of misbehavior, about 45% of employers (up 20% from the previous year) told a 
2009 CareerBuilder.com survey that they search the Internet for social postings 
by applicants to see if what they find may have an impact on a hiring decision. 
About 35% reported that social website postings and similar online data resulted 
in “no-hire’ decisions. Among the reasons cited in the CareerBuilder survey for 
no-hire decisions were provocative/inappropriate photos or information; drinking 
or drug use; bad-mouthing previous employers, co-workers, or clients; poor com¬ 
munications skills; discriminatory comments; misrepresentation of qualifications; 
and shared confidential information from a previous employer. 22 


A Practitioner's Perspective 

In over 8 years of systematic Internet searches on individuals under investigation, 
my company has found a wide variety of types of derogatory information, some 
exclusively seen online and some collected both on the Internet and from other 
sources. The vast majority of the information found supports subjects’ candidacies, 
verifies their background, shows the subjects in a good light, or is otherwise positive 
in nature. In our experience, about 10% of those being screened for employment 
have had references online significant enough to warrant concern about their eli¬ 
gibility or suitability. Results of two studies supporting the 10% derogatory ratio 
of cybervetting results appear further along in this book. During investigations 
and collection of open-source information about suspected individuals (those likely 
to have committed wrongdoing), we have found online documentation of illegal, 
illicit, or socially unacceptable behavior considerably more often than not. The bot¬ 
tom line is that the Internet is a valuable source of information on individuals. 

Beyond people who often appear in Internet files, we found that businesses, 
organizations of all kinds, groups, entities, brands, and topics are profiled more 
efficiently when Internet sources are used, in addition to any other investigative and 


Copyrighted material 



The Internet's Potential for Investigators and Intelligence Officers ■ 13 


research methods. By experimenting with the timing and nature of the searches 
used, we found that often, descriptive information can be found and a “dossier” 
started literally within a few minutes on virtually any topic. This can enable more 
rapid, accurate, complete, and sophisticated planning of the range of sources to 
be used and steps to be taken in collecting and analyzing required information. 
Among the uses for these kinds of searches are due diligence; mergers and acqui¬ 
sitions; litigation support; marketing; brand protection; competitive intelligence; 
counterintelligence; counterterrorism; identifying groups for and against an issue; 
scoping out the extent of a particular illegal or illicit activity online; following 
comments and postings about a current topic (e.g., a trial or dispute, as in litigation 
support); and contractor surveys prior to a request for proposals. Marketers today 
rely heavily on the Internet to find indicators of consumer tastes and trends and 
to distribute all kinds of ads. 23 We found an astonishing array of different types of 
data, which can enable a much better analysis of available information on any topic, 
when Internet search results are included. 

Besides intelligence, investigator, and security exploitation of the Internet, pro¬ 
fessionals in many different areas have come to rely on information available over 
the Internet. Two examples are clinicians and librarians, based on recent articles 
and books illustrating how important reference materials online have become to 
efficiency in their practices. 24 Another example is social media monitoring for mar¬ 
keting and sales purposes, with over 400 different tools providing corporations 
instant feedback on customer perceptions. 25 


The Search 

Creation and innovation in Internet search tools have provided the opportunity 
for Internet research to grow quickly. Finding open-source information on virtu¬ 
ally any topic has been made easier, and all types of data available on the public 
Internet continuously expand. The quantity of data itself has become an issue, as 
expansion of information, storage capacity, and online availability (e.g., through 
“cloud storage”) has occurred at a previously unimaginable pace. 26 For example, the 
Internet itself is estimated to contain 71 billion web pages, 27 the human genome 
mapping project and astronomical data online contain many terabytes of informa¬ 
tion, and more than 500 million Facebook users spend 8 billion minutes daily 
uploading photos (1.2 million per second). 28 The International Data Corporation 
reported that the amount of global data created and replicated during 2012 was 
2.7 zettabytes. 29 Cisco estimated that by 2017 the amount of global IP traffic will 
reach 1.4 zettabytes a year. 30 Because most humans are still struggling to under¬ 
stand that 20 gigabytes of data constitute a pile of 8.5 by 11 inch, single-spaced, 
printed pages the height of the Empire State Building, the transition from gigabytes 
to terabytes to petabytes to exabytes to zettabytes has come all too quickly. The pre¬ 
fix zetta indicates the seventh power of 1,000 and means 10 to the 21st power in the 


Copyrighted material 



14 ■ Cybervetting 


The Digital Universe: 50-fold Growth from 
the Beginning of 2010 to the End of 2020 



(Exabytes) 


40,000 


30,000 


20,000 


10,000 


2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 


Figure 1.7 Growth in stored data available online has been staggering and 
forced a change in the scales of measurement used from gigabytes and beyond to 
exabytes and zettabytes (see Note 26). 

International System of Units. (See Figure 1.7, which shows the trend in exabytes 
of online data storage.) 

Based on recent statistics, it appears that hundreds of billions of queries are 
made through search engines monthly, and Google searches alone have climbed 
to over 5 billion searches daily (almost 2 trillion annually; see Figure 1.8). 31 In 
2008, Google said its search engine had “crawled” (collected and indexed material) 
from 1 trillion unique URLs (uniform resource locators), or web addresses, 32 and 
as of 2013, claimed its index contains over 100 million gigabytes. 33 Although these 
statistics are provided to give a sense of the volume of Internet searches conducted 
and data cached, their most important meaning is that Internet searches are popu¬ 
lar with users and even more popular with advertisers and e-commerce sites that 
depend on search engines for much of their revenue. Just as we should be a bit skep¬ 
tical about the statistics’ precision, we should also understand that search engines 
exist primarily to sell, and as Google s multibillion-dollar income illustrates, the 
audience is huge and continuing to expand. Both data growth and data mining are 
related to the uses made of the Internet and its usefulness to researchers. Both 
are forecast to continue. 

One conclusion haunting security and counterintelligence officers is that find¬ 
ing the information needed (on or off the Internet) and information assurance will 
become more challenging and important with time. Investigators, security officers, 
adjudicators, intelligence personnel, and other authorities all use the Internet to 


Copyrighted material 





The Internet's Potential for Investigators and Intelligence Officers ■ 


15 


Millions of Google Searches per Year 

2000000 



Year Millions of searches 


Figure 1.8 Google annual search statistics show steady growth in the number of 
Internet searches per day and per year (see Note 31). 

find facts quickly. Because they utilize common search engines like Google (along 
with perhaps more than 66% of the population, depending on which market share 
statistics you believe), 34 they often find references that are instructive, informative, 
and useful about people, organizations, and topics of interest. There are few regula¬ 
tions or guidelines for random Internet searches conducted out of curiosity, for a 
business purpose, or for research. Many people have adopted their own approach 
to searching, with more or less skill depending on their level of interest, training, 
or experience. The ubiquity of Internet searching and lack of guidelines can create 
issues. When is it appropriate or inappropriate to use Internet searching to collect 
information about an individual? The answer depends on interpretation of a vari¬ 
ety of current laws, regulations, and standards, among which are the Fair Credit 
Reporting Act (as amended), Privacy Act (as amended), and state employment 
laws. Several laws, including the Health Insurance Portability and Accountability 
Act, Gramm-Leach-Bliley, and Sarbanes-Oxley Act, control the protection of per¬ 
sonally identifying information in certain industries. In a nutshell, information 
collected for an investigative purpose that creates a record containing personally 
identifying information may be subject to privacy and security requirements in US 
laws and regulations. It is potentially problematic if casually searched, individual- 
specific information is handled inappropriately. US government laws and regula¬ 
tions require that if a federal employee acquires Internet search data to be used 
or retained, it must be placed in an authorized records repository. Although it is 
not forbidden to look for, find, and record such data, possession of Internet search 


Copyrighted material 


16 ■ Cybervetting 


results imposes both declared and implied responsibilities on persons, depending 
on what they do with the data. 

The ethics of Internet searching and use of the results thereof are another chal¬ 
lenge. Is it appropriate (legal and ethical) to use a highly personal item posted on a 
social site to share with friends and family in an employment adjudication? Some 
argue that the intent of the one posting personal information should be respected 
by others, yet anything posted publicly is by its nature made available to anyone 
and everyone. In the absence of policies or procedures (or adherence to them), a 
person in authority may selectively conduct Internet searches on some, but not all, 
individuals of interest. Search methods may vary. Analysis of search results may be 
disciplined and effective or not. Depending on the searcher, the search itself and 
analysis of the results may be incomplete, ineffective, and inaccurate. Information 
gleaned may be correct or incorrect. The subject of the search may be aware of it 
or not. Casual searching can therefore raise issues of fairness, competence, proper 
handling and analysis of data, secure storage, privacy protection, redress, and per¬ 
haps other questions. 

There is nothing wrong with using the Internet as a telephone directory, method 
of connecting with someone else, or reminder of facts about an individual of inter¬ 
est. Profiles with photos online make it easy for two new acquaintances to meet 
in a crowded public place because each recognizes the other from their online pic¬ 
tures. It is when an inquiry begins to delve into the personal profiles of others with 
potentially adverse consequences that questions arise. After all, the information is 
posted on the Internet in a manner that makes it available to anyone inquiring—so 
it hardly can be said to enjoy privacy protection. However, depending on the role 
and intentions of the searcher, Internet data that may have an impact on a deci¬ 
sion assumes another character and must be approached according to some basic 
principles. The alternative could result in unfair, arbitrary, or prejudicial treatment. 


Internet Posts and the People They Profile 

“On the Internet, nobody knows you’re a dog,” said a famous New Yorker car¬ 
toon, in which a dog at a keyboard was speaking to another dog. 35 Even when the 
name, nickname, “handle,” or other identifiers of the person of interest appear 
on a web page, one may not know who actually posted it. Essentially, there are 
many ways to post material anonymously or falsely in another’s name, with or 
without skilled hacking or knowledge of another person’s password. Current social 
norms include the use of nicknames for many types of social networking profiles, 
as well as game sites, interest group pages, sales sites like eBay and craigslist, blogs, 
Internet Relay Chat (IRC), and free e-mail accounts. Such nicknames are in fact 
aliases, and some would suggest that it is proper to conceal the true (or full) iden¬ 
tity of the person by use of the nickname. This may help protect the individual 
against unwelcome contacts from strangers and sales pitches. Protocols of e-mail 


Copyrighted material 



The Internet's Potential for Investigators and Intelligence Officers ■ 17 


address naming have evolved to recognize the uncomfortable fact that executives 
and public figures should not employ a straightforward e-mail address lest they 
subject themselves to a deluge of unwelcome spam. Ironically, these evolving naming 
conventions create a situation in which almost everyone fails to list all their “virtual 
identities” (i.e., those used on the Internet) as aliases when filling out application 
forms. In addition, it is common for users to have both a formal e-mail address 
(e.g., John.Doe@gmail.com, John.Doe@bigbusiness.net) and a recreational, more 
personal e-mail address (e.g., BigJD123@yahoo.com). Identifying individuals 
online is rendered more difficult when they use multiple identities for different 
Internet activities and communications. However, if one can find out all or most 
such nicknames, each one can be used as a search term to find instances where the 
individual appears online. Analysis of the results must always include the caveat 
that the individual found may not really be identifiable with the person of interest 
because multiple individuals can use the same nickname, people can pretend to be 
someone else, and users can share the same computer with the same virtual identi¬ 
ties (e.g., spouses using the same e-mail address). 

While those who post information can provide a treasure trove of useful facts 
about themselves, it is true that people often upload items about other individuals 
as well. Many personal profiles carry a fairly large body of information, including 
blogs, messages posted (e.g., Facebook friends’ comments), photos, and links to the 
personal profiles of a social circle. By reading not only the postings of one indi¬ 
vidual but also those of his or her connections, it is often possible to develop a more 
complete impression of the subject’s behavior, characteristics, and suitability. As 
indicated, most often a person’s online profile results in a positive impression of the 
subject because most people behave well in the virtual presence of others, including 
their social circle. However, it also occurs relatively frequently that misbehavior can 
be seen where the person has that proclivity. Even though more mature people all 
should know that postings without privacy controls can be seen by anyone, it is not 
unusual to find postings that are scandalous, embarrassing, and likely to result in 
denial of employment by any employer made aware of them. 

dhere are many examples of notorious conduct emblazoned for history on the 
public Internet by persons of whom one could only ask, “What were they thinking?” 
Among such examples are two New York Congressmen, Chris Lee and Anthony 
Weiner, who respectively sent flirtatious notes and shirtless photos to a woman via 
craigslist using a Facebook e-mail in his own name and sent lewd photos of himself 
to a college student via his Twitter account. Lee resigned from office in February 
2011. Weiner first denied what he did, claiming hacking, then admitted it shortly 
thereafter, and in June 2011 resigned. 36 Weiner attempted a comeback as a candi¬ 
date for New York City mayor but was decisively defeated. Although it may not be 
shocking that many people post or send embarrassing things about themselves, it is 
remarkable how thoughtless of the consequences ostensibly intelligent and respon¬ 
sible individuals can be in online misbehavior. 


Copyrighted material 



18 ■ Cybervetting 


As with caveats about postings ostensibly attributable to a known individual, 
postings by a person about someone else may suffer from several defects, includ¬ 
ing lack of attribution (i.e., an anonymous poster, perhaps a hacker attempting 
“social networking” to infect computers with malware), untrue or unverifiable alle¬ 
gations, and practical jokes or slander. The questions that must be asked about such 
postings include the following: Who said what about whom? Are there any other 
indications of similar allegations verifying the information? Are the statements, 
photos, videos, audio recordings, and so on believable? Despite the care that must 
be exercised with postings by one person about another, examples abound of useful 
information found online. A son revealed his father’s illegal activities and hatred 
for his employer. A man’s social profile contained a link to his ex-wife’s blog, which 
detailed his many years of misbehavior, including domestic abuse. A woman and 
her friends posted stories and photos of their drunken partying, complete with 
sexual content and ample examples of faulty judgment. Another woman recounted 
her history of drug abuse and sales in postings on a friend’s blog. A skilled com¬ 
puter security employee spent hours at work playing a commander in an online war 
game, and his bragging was quoted in posted interviews and news stories. 

A category of postings that should not be forgotten is false social networking 
profiles that are used to lurk and observe, deceive, harass, bully, slander, or other¬ 
wise victimize others. Two notorious examples are worth mentioning. Lori Drew, 
the mother of a 13-year-old girl with a rival, Megan Meier, the same age, created a 
false MySpace profile with the picture of a fictitious 16-year-old boy named “Josh 
Evans.” Drew used this fake profile to torment Meier, who “had a history of depres¬ 
sion and suicidal impulses,” flirting with Meier for a time, then suddenly telling 
Meier that Evans “no longer liked her,” and that “the world would be a better place 
without her in it.” Shortly thereafter, Meier killed herself. Drew then deleted the 
fake account. 37 She was federally prosecuted. Latisha Monique Frazier disappeared 
in August 2010, shortly after leaving work, and her family frantically searched for 
her, distributing posters and using the media. A Facebook profile appeared, harass¬ 
ing and threatening Frazier’s family. An investigation resulted in the arrest and 
prosecution of six people for Frazier’s disappearance and murder. 38 

A key example of third-party postings is the ever-widening variety of records 
that appear online. All records may include errors. However, records are especially 
useful because they are kept in the normal course of business and are apt to be accu¬ 
rate on the whole. That is why records are an exception to the hearsay rule and are 
admissible in court. Online records include not only public government databases 
but also media reports, directories, and cross-references such as telephone numbers 
and web identifiers like IP addresses, profiles, and lists of links. All of these pro¬ 
vide information by one person or entity about another, and although each should 
be viewed as requiring verification, they are an excellent way to amass facts, leads 
and perhaps suspicions for an investigation about a subject. 


Copyrighted material 



The Internet's Potential for Investigators and Intelligence Officers ■ 21 


3. Pew Internet and American Life Project statistics, http://www.pewinternet.org/Static- 
Pages/Trend-Data-(Adults)/Whos-Online.aspx (accessed October 25, 2013). 

4. Internet World Stats, http://www.internetworldstats.com/stats.htm (accessed 
October 25, 2013). 

5. The Zettabyte Era, Trends and Analysis, Cisco estimate of Internet traffic growth, 
http://www.cisco.com/en/US/solutions/collateral/ns341 / ns525/ns537/ns70 5/ns827/ 
VNI__Hyperconnectivity_WP.pdf (accessed October 25, 2013). 

6. Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 
2012-2017, http://www.cisco.com/en/US/solutions/collateral/ns34l/ns525/ 
ns537/ns705/ns827/white_paper_cl 1 -520862.html; http://tools.cisco.com/search/ 
results/en/us/get#q=total+Global + IP+tralHc<3£pr=enushomesppublished<5£basepr 
= enushomesppublished&prevq = &sort=cdcdevfour&start=0&hits= 1 0&qid = 4 
&websessionid=wOP5nG16i9LDUz5_ei-dMZ_&navexp=&:navlist=&navsel=&navop 
=&to=0&fr=7&un=true&aus=false&ec=0&:pf=& (accessed October 25, 2013). 

7. Internet Systems Consortium host count survey, http://www.isc.org/services/survey/ 
(accessed October 25, 2013). 

8. Madden, Mary, and Jones, Sydney, Networked Workers, September 2008, http://www. 
pewinternet.org/Reports/2008/Networked-Workers.aspx (accessed November 3, 2013). 

9. Meetings of Computer Crime and Digital Evidence Ad-Hoc Committee, International 
Association of Chiefs of Police, 2005—2012, in which briefings were received from law 
enforcement on computer crime and digital evidence trends seen by law enforcement 
and private sector investigators. 

10. King, Rachael, Departing Employees Are Security Horror, Wall Street Journal , 
October 21, 2013, http://online.wsj.com/news/articles/SBl00014240527023034420 
04579123412020578896 (accessed October 25, 2013), reporting results of a survey 
by Ponemon Institute and Symantec. 

11. See Note 9. 

12. Halpin, James, Prostitution Moving from Street Corners to Online Ads, Experts 
Said, Scranton Times-Tribune , October 13, 2013, http://thetimes-tribune.com/news/ 
p rosti tut ion-moving-from-st reet-corners-to-on line-ad s-experts-said-1.1 568034 
(accessed October 25, 2013). 

13. Reed, Brad, Bitcoin Bust: Feds Break Up Country’s Largest Bitcoin Drug Ring, Yahoo 
News , October 2, 2013, reporting FBI breakup of the drug-organized crime ring 
known as Silk Road, http://news.yahoo.com/bitcoin-bust-feds-break-country-largest- 
bitcoin-drug-0345l6881.html (accessed October 25, 2013). 

14. Anderson, Janna Q., Elon University, and Rainie, Lee, Pew Research Centers 
Internet and American Life Project Millennials Will Benefit and Suffer Due to Their 
Hyperconnected Lives, February 29, 2012, http://www.pewinternet.Org/-/media// 
Files/Reports/2012/PIP_Future_of_Internet_2012_Young_brains_PDF.pdf (accessed 
November 5, 2013). 

1 5. Meetings of Computer Crime and Digital Evidence Ad-Hoc Committee, International 
Association of Chiefs of Police, 2005-2012. 

16. Page, Larry, Googles Goal: “Understand Everything,” Business Week , May 3, 2004, 

http://www.businessweek.com/magazine/content/04_1 8/b3881 01 0_mz001 .htm 

(accessed August 6, 2010). 

17. American Management Association, 2007 Electronic Monitoring and Surveillance 
Survey, http://press.amanet.org/press-releases/177/2007-electronic-monitoring- 
surveillance-survey / (accessed May 5, 2010). 


Copyrighted material 



22 ■ Cybervetting 


18. Nixon, W. Barry, and Kerr, Kim M., Background Screening and Investigations , Managing 
Risk from HR and Security Perspectives (New York: Elsevier, 2008). 

19. Studies and investigations I conducted of thousands of individuals have found that a 
significant percentage have serious derogatory references online. More on this subject 
appears in subsequent chapters. 

20. Security Policy Reviews, Intelligence Office, National Security Council, The White 
House, Washington DC, January 1995—May 1997, by the author as director, Security 
and Counterintelligence Programs, Personnel Security Working Group, et al., 
Evaluation of DCID 1/14 Investigative Requirements (Washington, DC: Director of 
Central Intelligence, April 1991): “The least productive sources include neighborhood 
interviews, which are also the most expensive and time consuming.” PERSEREC, 
SSBI Source Yield: An Examination of Sources Contacted during the SSBI, TR 96-01, 
March 1996, explored the net value of sources used in background investigations; see 
http://www.dhra.mil/perserec/index.html. 

21. Madden, Mary, Fox, Susannah, Smith, Aaron, and Vitak, Jessica, Digital Footprints, 
Online Identity Management and Search in the Age of Transparency, Pew Internet and 
American Life Project, December 16, 2007, http://pewresearch.org/pubs/663/digital- 
footprints (accessed June 24, 2010). 

22. CareerBuilder.com survey, August 20, 2009, http://thehiringsite.careerbuilder. 

com/2009/08/20/nearly-half-of-employers-use-social-networkingsites-to-screen-job- 
candidates/ (accessed March 30, 2010); Kwoh, Leslie, Beware: Potential Employers 
Are Watching You, Wall Street Journal, October 29, 2012, http://online.wsj.com/news/ 
articles/SB 10000872396390443759504577631410093879278#printMode (accessed 
October 25, 2013). 

23. DeMers, Jayson, The Top 7 Online Marketing Trends that Will Dominate 2014, 
Forbes , September 17, 2013, http://www.forbes.com/sites/jaysondemers/2013/09/17/ 
the-top-7-online-marketing-trends-that-will-dominate-20l4/ (accessed November 4, 

2013) . 

24. Beyea, Suzanne, Finding Internet Resources to Support Evidence-Based Practice, 
AORN Journal , September 2000; Cassell, Kay Ann, and Hiremath, Uma, Reference 
and Information Services in the 21st Century , An Introduction , 2nd ed. (Chicago: Neal- 
Schuman, 2009), http://www.neal-schuman.com/reference21st2nd. 

25. Brynley-Jones, Luke, What to Look for in a Social Media Monitoring Tool, November 
2012, http://socialmediatoday.com/lbrynleyjones/993011/what-look-social-mcdia- 
monitoring-tool?utm_source=dlvr.it&:utm_medium=linkedin#! (accessed January 22, 

2014) . 

26. IDC Digital Universe Study—Data Growth, http://gigaom.com/2013/10/02/how- 
the-industrial-internet-will-help-you-to-stop-worrying-and-love-the-data/screen-shot- 
2013-09-24-at-4-11 -40-pm/ (accessed November 4, 2013). 

27. Ohio State University Internet guide, http://liblearn.osu.edu/guides/weekl/pg6.html 
(accessed November 4, 2013). 

28. Barbara, John J., Data Storage Issues, DEI News , September 17, 2013, http:// 
www.dfinews.com/articles/201 3/09/data-storage-issues (accessed July 15, 2004) 
et_cid=3555443&et_rid=454846245&type=cta#.Um7KDM3D_IU. 

29. IDC Predicts 2012 Will Be the Year of Mobile and Cloud Platform Wars as IT Vendors 
Vie for Leadership While the Industry Redefines Itself, December 1, 2011, http:// 
www.reuters.com/article/201 l/12/01/idUSl50958+01-Dec-2011+BW20111201 
(accessed November 4, 2013). 


Copyrighted material 



Chapter 2 

Behavior Online 


Internet Use Growth 

Over 2.4 billion people worldwide, 34% of the worlds population, including 
nearly 85% of adult Americans, frequently use the Internet. 1 Higher percentages of 
those who are younger, more affluent, and better educated use the Internet for all 
types of purposes, including communications, social, recreational, and commercial 
exchanges. 2 The Internet has become an essential element of life for government, 
industry, organizations, and individuals. Telecommunications ride the Internet 
protocol (IP) backbone. Retailers and government agency services depend on their 
presence online for services, marketing, billing, and communications. 

As constructive Internet uses have enriched American life dramatically, an 
equally destructive increase has occurred in the use of the Internet for illegal, illicit, 
and inappropriate purposes. Susannah Fox of Pew s Internet and American Life 
Project said in 2008: 

Our research finds that many Americans are jumping into the par¬ 
ticipatory Web without considering all the implications. If nothing 
really bad has happened to someone, they tend neither to worry about 
their personal information nor to take steps to limit the amount of 
information that can be found about them online. On the other hand, 
if someone has had a bad experience with embarrassing or inaccurate 
information being posted online, they are more likely to take steps to 
limit the availability of personal information. 3 

The phenomenon of Americans revealing a little too much about themselves, 
including documenting their own misbehavior, suggests that employers should be 

25 


Copyrighted material 


Behavior Online ■ 29 


widespread exposure of postings. Note that sites’ AUPs may forbid certain uses 
of information (e.g., collecting users’ identifying data for commercial advertising 
purposes), but having an account allows a user to see other users’ public profiles. 
Although users can invoke privacy controls, a large number do not choose to do 
so. 10 Thus results in a large number of postings of a potentially offensive nature, 
such as self-admitted drug and alcohol abuse and postings offering pornography. 
Employees using ostensibly innocent sites can expose the workplace to those offen¬ 
sive postings. Internet use habits thus bring a certain amount of unwelcome content 
into the workplace. Unfortunately, improper computer use occurs both outside and 
inside the workplace. 

Increasingly, businesses monitor or block employees’ Internet surfing, personal 
e-mail, blogging, social networking, shopping, and other online activities on com¬ 
pany machines. A substantial percentage of monitored employees are caught and 
disciplined or fired for improper systems use. Most employers told an American 
Management Association survey 11 that although they notify employees of the mon¬ 
itoring, there is an increasing incidence of disciplinary action. Clearly, this indicates 
that the temptation to abuse employers’ systems overcomes the threat of disciplin¬ 
ary action, up to termination. Reportedly, 28% of employers surveyed fired workers 
for e-mail misuse. At the root of concern is accountability for online actions. As 
far as we know, no correlation was measured between employers who check can¬ 
didates’ Internet habits before hiring and employers who monitor employees’ work 
computers on the job. As yet, formal Internet vetting appears not to be a common 
practice, at least not so common that it was included in the survey. 

The incidence of employee criminal activities detected has grown, according 
to recent surveys, including studies of identity theft, retail industry losses, data 
breaches by insiders and outsiders, and intellectual property loss. 12 An additional 
concern for industry is that employers continue to lose 73% of negligent hiring 
cases that go to jury trials, as cited by Barry Nixon and Kim Kerr in their excel¬ 
lent book on background investigations. 13 Therefore, available information about 
trends suggests that employers have reason for concern about the potential inci¬ 
dence, impact, and security implications of illicit computer use by both candidates 
and employees. 


Evolution of Internet Uses 

Online activities’ popularity and participation reflect the massive surge of individu¬ 
als of all ages and nationalities embracing the Internet, some allowing migration to 
automated versions of physical activities (e-mail for postal mail) and some for the 
new forms of Internet social interaction, entertainment, education, e-commerce, 
news, games, fantasy, pornography, and communications offered. Increased band¬ 
width has allowed films, music, video, and TV to stream into computers, handheld 
devices, and television sets, disrupting traditional sources, while adoption of 4G 


Copyrighted material 



30 ■ Cybervetting 


wireless (and beyond) allows all types of computing to travel. New hardware and 
software have supported services through low-cost, high-bandwidth, wireless tele¬ 
communications, including search, geo-location and networking, building large- 
scale business, government, academic, and organizational structures to provide 
online functions. 

Frequently updated demographic data from Pew Internet and American Life 
surveys, 14 as set out in Figures 1.4 and 1.5, suggest that Internet use is much higher 
for those with more education, higher income, and dwelling in urban areas. For 
example, 96% or more of college graduates with income over $75,000 annually are 
Internet users. From the standpoint of a personnel security specialist, virtually all 
applicants and employees are probably engaged in frequent Internet use. 

The highest percentages 15 of those online use the Internet for searching, e-mail, 
directions, a hobby or interest, weather, shopping, news, web surfing, video, buy¬ 
ing, government, social networking, travel arrangements, and so on. Social net¬ 
working is a highly popular Internet activity (see Figures 2.1 to 2.5), 16 driving many 


Online Activity 

Use a search engine 

Send or read e-mail 

Find a map or directions 

Pursue a hobby or interest 

Check the weather 

Shop for a product/service 

Get news 

Web surf for fun 

Watch a video 

Buy a product 

Use a government site 

Social networking 

Arrange for travel 

Look for political news 

Bank online 

Look for a job 

Use online classified ads 

Look at Wikipedia 

Find "how-to" info 

Take a virtual tour 

Get sports news 

Find info about someone 


% of Users 

Survey Date 

91 

2/1/2012 

88 

12/1/2012 

84 

8/1/2011 

84 

8/1/2011 

81 

5/1/2010 

78 

9/1/2010 

78 

8/1/2012 

74 

8/1/2011 

71 

5/1/2011 

71 

5/1/2011 

67 

5/1/2011 

67 

12/1/2012 

65 

5/1/2011 

61 

12/1/2012 

61 

5/1/2011 

56 

5/1/2011 

53 

5/1/2010 

53 

5/1/2010 

53 

12/1/2012 

52 

8/1/2011 

52 

1/1/2010 

51 

8/1/2012 


Figure 2.4 Pew Internet and American Life Surveys have shown the most popu¬ 
lar online activities in the past few years (see Note 15). 


Copyrighted material 


Behavior Online ■ 33 


A foreign-born engineer downloaded hardware and software designs and took 
them with him to a new employer months before his economic espionage was 
detected. He had a long history of unauthorized access to his employers’ data not 
necessary for his work, and an examination of his computer use habits would have 
shown several red flags. I le was convicted of economic espionage. 20 

A computer security employee acted as the principal manager of a massively mul¬ 
tiplayer online role-playing game (MMORPG) involving thousands of people 
under his direction in a fantasy space war. He held a live online strategy meet¬ 
ing in which he used racist, sexist, and other inflammatory language contrary 
to his employer’s policies and posted a recording of the offensive remarks online. 
Because of his prolific postings and newspaper interviews, the true name and 
employment of the person were widely known. On investigation, it was shown 
that on numerous occasions he used company time to engage in his Internet fan¬ 
tasy role. Especially in view of his computer security role and his cavalier behavior 
in violation of his employer’s code of conduct, he posed a significant security risk 
and probably committed felonious theft of salary for services he did not perform 
while playing at work. 


A US soldier deployed to Iraq posted numerous photographs of his deployment 
on his social network site profile, with no privacy protections, using his military 
e-mail address as his profile name. Among the photos were sensitive fortifications 
and an obscene photo of a fellow soldier. Not only could the enemy see the soldier’s 
postings, but also the postings blatantly violated the Military Code of Conduct. 

An employee of a defense facility posted a detailed biography, numerous photo¬ 
graphs (including military bases and aircraft), travel itineraries of extensive global 
tourism, dozens of friends and acquaintances (including many from abroad), 
and indiscreet descriptions of herself as “an adventure junkie.” The description 
included birth in a former Soviet bloc country, friends in nations unfriendly to 
the United States, plans to travel abroad in the future, and contact information, 
including true name, work e-mail address, phone numbers, and other personal 
data—all available for anyone to see. This is a classic case of a blatant security risk, 
an attractive candidate for hostile intelligence or terrorist interest, and a possible 
indicator of naive lack of security awareness by the individual. 


Because Internet usage has changed, employers should pay attention to the risks 
that may be added by employees’ online habits and by new employees whose IT 
system habits are not yet known. The nature of added risks can be significant with 
even a small number of authorized users whose computer and portable device activ¬ 
ities include illegal and illicit behaviors, such as copyright infringement, fraud, and 
harassment. Ironically, automation provides capabilities that convey what Chinese 
military leaders like to call a great equalizer because it is the enemy’s dependence 
on computers that allows an external or internal attack to have immediate, dispro¬ 
portionate impact. The US attacks on Iraq and Afghanistan illustrate the impact 


Copyrighted material 



34 ■ Cybervetting 


of cyber warfare, based on media reports of communications and utility outages 
caused by a combination of physical and cyber assaults. Insider attacks are particu¬ 
larly difficult to prevent and to detect. Even when detected, insider attacks may be 
so destructive that it is all but impossible to recover. 


Physical World, Virtual Activities 

Among the activities moving online are several that can cause unanticipated prob¬ 
lems in a virtual world because of distinct characteristics that are different from 
the physical versions that they replace. For example, stolen property was previ¬ 
ously offered for sale to pawn shops, flea markets, and in classified newspaper ads. 
Today, eBay and craigslist (to name just two of many websites) offer the capability 
of selling to millions of prospective customers while maintaining anonymity in a 
forest of similar ads. Information can be taken not by photocopying documents 
but by searching for sensitive and valuable data, downloading and copying, print¬ 
ing, burning to a thumb drive or CD, or simply e-mailing or uploading it out 
of the enterprise. One example of a physical norm that for most employers does 
not translate into the virtual world is the request that an applicant provide aliases 
on preemployment forms. Few employers require a listing of e-mail addresses and 
other virtual identities, ignoring the widespread behavior of Internet users who 
have several online personas, including some without any indicator of their true 
name; several user IDs, also unlike their name; and several nicknames used for 
specific websites. It is not unusual for today’s Internet user to have different user 
IDs for e-commerce, banking, social sites, e-mail, music, videos, photos, games, 
hobbies, and so on. Recorded online are activities that in most cases are, like their 
physical counterparts, legal and proper. However, in the minority of individuals 
inclined to engage in illegal, antisocial, or offensive behavior, it is likely that they 
have left evidence online. When this assertion is made to some employers and even 
investigators, they express skepticism because using anonymous virtual identities is 
so easy. Nevertheless, there will always be a substantial number of people who bla¬ 
tantly post evidence of their offensive conduct, either inadvertently or purposefully 
sprinkling the Internet with examples. 


Connections and Disconnecting 

An observer of the Internet scene remarked that when past generations graduated 
from college, they maintained contact with their eight best friends, losing track of 
the dozens of others whom they now only meet at reunions or by chance. Today’s 
graduates often retain contact with “eighty best friends,” who link to each other in a 
variety of ways, including social sites, alumni groups, and mutual interest websites. 
Today, it is harder to avoid the one or two in every group who have taken a bad 


Copyrighted material 



Behavior Online ■ 35 


turn, such as substance abuse, criminal activities, and association with shady char¬ 
acters. Striving to be one of the “good guys” can expose an individual to people and 
activities that perhaps could easily have been avoided when our electronic personas 
did not allow us to be tracked wherever we go. Small indiscretions can become 
widespread news in a flash. It would seem that discreet behavior would help protect 
the wired crowd from exposure through today s social networking. However, the 
opposite appears to be the case. Even in groups that have learned to turn on their 
Facebook privacy protections, it appears that blatant examples of misbehavior are 
posted often, if not by an individual about himself or herself, then by a friend, 
family member, or associate who considers the story, photos, videos, or other items 
amusing. Almost everyone has something in his or her background that he or she 
would rather not talk about. Today, it is likely that that something will appear 
online. Extricating oneself from damning postings can be difficult (although not 
impossible). A cottage industry has grown up around removal of embarrassing 
materials from websites, either by those who regret having placed it there in the 
first place or by those who feel slandered or at least “outed ” by others’ postings. Two 
unfortunate factors may impede removal of such postings: Ihe websites may not 
respond positively in a timely manner, and the cached images of the prior postings 
could remain available through several search engines and archive sites for some 
time (years). The only way to be certain that derogatory information is not online 
is avoiding having it posted in the first place. 

Ironically, Pews research in recent years showed that from 2006 to 2009, the 
percentage of Internet users in each age group that took steps to limit the amount 
of information about them available online decreased in all age categories (see 
Figure 2.7). In a 2012 study, 21 Pew found that teens aged 12—17 were more likely to 


Limiting Personal Information 

% of Internet users in each age group who take steps to limit 
the amount of information available online about them 



Total 18-29 30-49 50-64 65+ 


Figure 2.7 In this 3-year period, efforts to limit online information diminished 
for all age categories. 


Copyrighted material 



36 ■ Cybervetting 


post their photo, school, city of residence, e-mail address, and cell phone number 
than before. While these percentages are apt to change as people learn how best to 
connect electronically, the phenomenon of openness online appears to be here for 
the indefinite future. When users later have regrets about the impressions given by 
their postings, they may be unable to purge them. 

In fact, it may be easier said than done to keep the Internet free of material 
about anyone. In doing background investigations on numerous people at all lev¬ 
els of business and government, I have found extensive data even on those with 
little or no inclination to use the Internet. Among the types of data are direc¬ 
tories (addresses, phone numbers), neighborhood maps and satellite photos, even 
ground-level photos of homes, employers’ websites, trade publications, associations, 
schools, genealogical records, court records, media reports, and more. Besides the 
free data available on the Internet, services like LexisNexis; Acurint (a Lexis service 
providing private and public data mined from multiple government, business, and 
directory sources); Intelius (which provides background data for a fee to anyone 
with a credit card); and other data providers can be found online that profile virtu¬ 
ally anyone for a fee. 22 

Business and government leaders, those who are subjects of news stories, and 
many others find themselves “available” to anyone willing to inquire: Who are 
they? What is their background? What have they been accused of? At first blush, 
it does not seem fair that even those who do not use the Internet would find them¬ 
selves profiled there for almost anyone to see. Yet, it is precisely this attribute of 
the information society, as the Europeans would say, that makes the Internet so 
interesting: You can probably find out about almost anyone. Of course, in Europe, 
Canada, and Asia, privacy regulations keep much personal information off the Web 
if the subject of interest is not a public figure and does not “opt in.” In the United 
States, one must “opt out” to protect personal data. More about privacy appears in 
Section II. 

In several cases, executives have sought to find every Internet reference to them 
and tried to expunge references that reveal too much. Whether they are subject 
to the chants of demonstrators outside their Manhattan condominiums, kidnap¬ 
ping attempts on their wives and children in Bogota, e-mail extortion threats, let¬ 
ter bombs, or other attacks in San Jose, some well-known individuals have found 
that Internet publicity has worked to their detriment. Celebrities and politicians 
are frequently threatened, attacked, and hacked online. Those subjected to attacks 
by interest groups begin to feel that it is all too easy to learn about their private 
lives by googling their names. Some corporate efforts have been focused on finding 
and erasing the postings that can facilitate threats, stalking, harassment, and in 
some cases, physical attacks. Yet, millions of young people continue to build a rich, 
multifaceted online record of their life’s trivia. 


Copyrighted material 



Behavior Online ■ 37 


Notes 

1. Internet World Stats as of June 2012, http://www.internetworldstats.com/stats.htm 
(accessed November 12, 2013). Pew Internet and American Life Project, May 2013 
survey, http://www.pewinternet.org/Commentary/2011 /November/Pew-Internet- 
Health.aspx (accessed November 12, 2013). 

2. Pew Internet and American Life Project, http://www.pewinternet.org. 

3. Fox, Susannah, Privacy Implications of Fast, Mobile Internet Access, Pew Internet and 
American Life Project, February 13, 2008, http://www.pewinternet.Org/-/media/Files/ 
Reports/2008/Privacy_Fast_Mobile_Access.pdf.pdf (accessed November 12, /2013). 

4. Statistic Brain, Facebook statistics, June 23, 2013, http://www.statisticbrain.com/ 
facebook-statistics/ (accessed November 12, /2013). 

5. cBiz MBA, Internet statistics updated monthly, November 1, 2013, http://www. 
ebizmba.com/articles/social-networking-websites (accessed November 12, 2013). 

6. Rainie, Lee, Pew Internet and American Life, Networked Worlds and Networked 
Enterprises, November 7, 2013, at the Knowledge Management and Enterprise 
Solutions Conference, Washington, DC. 

7. Alexa, Top Sites in the United States, http://www.alexa.com/topsites/countries/US 
(accessed November 12, 2013). 

8. Madden, Mary, and Jones, Sydney, Networked Workers, Pew Internet and American 
Life Project, September 24, 2008, http://www.pewinternet.org/Reports/2008/Networked- 
Workers.aspx. 

9. Presentations and discussions at semiannual conferences of the International Association 
of Chiefs of Police (the Computer Crime and Digital Evidence Committee that I 
founded) and annual presentations at the ASIS International Conference since 1995. 

10. Fox, Susannah, Pew Internet and American Life Project, February 2008, based on Pew 
Digital Footprints Internet Project, December 2007; Symantec cybercrime summary, 
http://www.symantec.com/norton/cybercrime/index.jsp (accessed August 8, 2010); 
Paget, Francois, Cybercrime and Hacktivism, McAfee Labs, March 2010, http://www. 
mcafee.com/us/local_content/white_papers/cybercrime_20100315_en.pdf (accessed 
August 8, 2010). 

11. Bourke, James, Curbing and Battling Employee Misuse of Technology, March 24, 
2008. An American Management Association survey found that approximately 75% 
of respondents monitor their employees’ website visits to prevent inappropriate surf¬ 
ing. In addition, 65% of those surveyed used software to block or filter connections 
to websites deemed ofl limits to employees, while about one-third (33%) tracked key¬ 
strokes and time spent online. Over 50% reviewed and retained e-mail messages sent to 
and from their employees. http://www.cpa2biz.com/Content/media/PRODUCER_ 
CONTENT/Newsletters/Articles_2008/CPA/Mar/Misuse_of_Technology.jsp 
(viewed March 30, 2010). 

12. Greenemeier, Larry, Information Week Research—Accenture 10th Annual 
Information Security Survey, July 2007, http://www.informationweek.com/story/ 
showArticle.jhtml?articleID=201001203 (accessed May 5, 2010); The Post Breach 
Boom, Ponemon Institute, February 26, 2013, http://www.ponemon.org/blog/the- 
post-breach-boom (accessed November 14, 2013); Insider Threat Study: Illicit Cyber 
Activity Involving Fraud in the US Financial Services Sector, Software Engineering 
Institute, Carnegie Mellon University, July 2012, http://resources.sei.cmu.edu/library/ 
asset-view.cfm?assetID=27971 (accessed November 14, 2013). 


Copyrighted material 



38 ■ Cybervetting 


13. Nixon, W. Barry, and Kerr, Kim M., Background Screening and Investigations , Managing 
Risk from HR and Security Perspectives (New York: Elsevier, 2008). 

14. See http://www.pewinternet.org/Static-Pages/Trend-Data-(Adults)/Whos-Online.aspx 
(accessed November 14, 2013). 

15. Catalogued and updated Pew Internet and American Life Surveys, http://www.pewm- 
ternet.org/Trend-Data-(Adults)/Online-Activites-Total.aspx (accessed November 14, 
2013). 

16. Pew Internet and American Life Project statistics, http://www.pewinternet.org/ 
Reports/2011/Social-Networking-Sites/Report.aspx?view=all (accessed November 14, 
2013). 

17. Pew Internet and American Life studies indicate multiple dimensions in which a person 
may be called a “power user,” http://www.pewinternet.org/Search.aspx?q=power%20 
users&i=20, including Madden, Mary, Four or More, The New Demographic , June 
2010, http://www.pewinternet.org/Presentations/2010/Jun/Four-or-More—The- 
New-Demographic.aspx (accessed November 14, 2013). 

1 8. Horrigan, John, The Mobile Difference, Pew Internet and American Life, http://www. 
pewinternet.org/Reports/2009/5-The-Mobile-Difference—Typology.aspx, http:// 
www.pewinternet.org/Search.aspx?q=wireless%20use, and http://www.pewinternet. 
org/Search.aspx?q=home%20wireless (accessed November 14, 2013). 

19. Horrigan, John B., A Typology of Information and Communication Technology Users, 
Pew Internet and American Life Project, May 7, 2007, http://www.pewinternet.Org/-/ 
media//Files/Reports/2007/PIP_ICT_Typology.pdf.pdf (accessed June 24, 2010). 

20. US Department of Justice, press release, August 2, 2007. On August 1,2007, Xiaodong 
Sheldon Meng, 42, formerly a resident of Beijing, China, and resident of Cupertino, 
California, pleaded guilty to violating the Economic Espionage Act (EAA), the Arms 
Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR), 
http://www.usdoj.gov/criminal/cybercrime/mengPlea.htm (accessed May 5, 2009). 

21. Teens, Social Media, and Privacy, Pew Internet and American Life Project, http:// 
www.pewinternet.org/Reports/2013/Teens-Social-Media-And-Privacy/Main-Report/ 
Part-2.aspx (accessed January 25, 2014). 

22. O’Harrow, Robert, Jr., No Place to Hide (New York: Free Press, 2005). 


Copyrighted material 



Chapter 3 

Use and Abuse: Crime 
and Misbehavior Online 


Introduction 

In 2011, at least 2.3 billion people, the equivalent of more than one-third of the 
world’s total population, had access to the Internet. Over 60% of all Internet users 
are in developing countries, with 45% of all Internet users below the age of 25 years. 
By the year 2017, it is estimated that mobile broadband subscriptions will approach 
70% of the world’s total population. By the year 2020, the number of networked 
devices (the “Internet of things”) will outnumber people by six to one, transforming 
current conceptions of the Internet. In the hyperconnected world of tomorrow, it 
will become hard to imagine a “computer crime,” and perhaps any crime, that does 
not involve electronic evidence linked with Internet protocol (IP) connectivity. 1 

Computer-based crime (i.e., criminal acts committed using computers or where 
computers hold evidence of a crime) is poorly measured. Unfortunately, few if 
any solid metrics are available on the incidence, proportion, or impact of illegal 
Internet uses. Regional computer forensic laboratories run by the Federal Bureau 
of Investigation (FBI) in 15 different US regions have experienced rapid, sustained 
increases in the types, numbers, and quantities of data involved in all criminal 
activities involving computers. 2 FBI Director James B. Comey testified before 
Congress 3 that 

The diverse threats we face are increasingly cyber-based. Much of 
America’s most sensitive data is stored on computers. We are losing 
data, money, and ideas through cyber intrusions. This threatens inno¬ 
vation and, as citizens, we are also increasingly vulnerable to losing 


39 


Copyrighted material 


40 ■ Cybervetting 


our personal information. That is why we anticipate that in the future, 
resources devoted to cyber-based threats will equal or even eclipse 
the resources devoted to non-cyber based terrorist threats. 

The Internet Crime Complaint Center (IC3) reported 4 that in 2012, after 
double-digit increases since 2008, the IC3 received 289,874 consumer complaints 
representing over $525 million in losses, an 8.3% increase in reported losses since 
2011. A 2013 UN cybercrime study said, “At the global level, law enforcement 
respondents to the study perceive increasing levels of cybercrime, as both individu¬ 
als and organized criminal groups exploit new criminal opportunities, driven by 
profit and personal gain.” 5 The UN study found that the victimization rate for 
cybercrime is significantly higher than that for “conventional crime,” particularly 
in developing countries. The 2013 PriceWaterhouseCoopers (PWC) US State of 
Cybercrime Survey 6 revealed, among other things: 

The cybercrime threat environment has become increasingly pervasive 
and hostile—and actions to stem the tide of attacks have had limited 
effect. We must accept that cyberattacks are now a routine part of 
doing business in today’s uncertain world, and they likely will be a part 
of doing business going forward. ... 

Leaders do not know who is responsible for their organization’s 
cybersecurity. ... 

Many leaders underestimate their cyber-adversaries’ capabilities and 
the strategic financial, reputational, and regulatory risks they pose. ... 

Leaders are unknowingly increasing their digital attack vulner¬ 
abilities by adopting social collaboration, expanding the use of mobile 
devices, moving the storage of information to the cloud, digitizing sen¬ 
sitive information, moving to smart grid technologies, and embracing 
workforce mobility alternatives—without first considering the impact 
these technological innovations have on their cybersecurity profiles. 


By the Numbers? 

Casing, communications, and planning are fundamental parts of many types of 
criminal conspiracies, which these days often take place online. Many types of crim¬ 
inal investigations, including Internet child exploitation; sex slavery and prostitu¬ 
tion; identity thefts; sale of stolen property; frauds; trafficking in pirated goods 
such as films, music, software, and hardware; counterfeiting; radical/terrorist activ¬ 
ities; intellectual property theft; malicious code use; and denial-of-service attacks, 
have experienced substantial increases in the past few years. Despite various efforts, 
including an FBI—Computer Security Institute annual computer crime survey 7 
and a US Department of Justice, Bureau of Justice Statistics survey a few years 


Copyrighted material 



Use and Abuse: Crime and Misbehavior Online ■ 41 


ago, 8 solid cybercrime statistics are still elusive. Increasing numbers reported in the 
press—including losses claimed at over $100 billion to $1 trillion annually—may 
be an indication of better Internet crime reporting or may signal rises in crime 
online (and certainly signal sensational media reporting). After 35 years of associa¬ 
tion with computer crime investigators and computer forensic examiners, I have no 
doubt that Internet crime has increased steadily and now has reached prodigious 
levels. The proof of this proposition is that wherever populations have grown, crime 
rates have increased—and it appears that the Internet is no exception. 

Sadly, Internet crime is rarely reported, rarely investigated, and rarely results 
in arrests and convictions. The most notorious cybercriminals are comparatively 
few in number. Federal, state, and local law enforcement have taken tens of mil¬ 
lions of reports of identity crimes (mostly frauds), yet can address only a handful 
of them. Many reported thefts of databases containing private, personally iden¬ 
tifying information go unsolved or unprosecuted. Frauds using stolen identities 
estimated in the tens of millions (dollars and incidents) are unsolved for the most 
part. Undercover operations on the Internet pitting cops against child molesters 
and porn traders consistently show large volumes of activity and historically com¬ 
prised half of anti-cybercrime efforts. Police chiefs have said that they have to limit 
their officers’ involvement in Internet crimes against children. Many chiefs describe 
these cases as a “bottomless pit” of relentless crimes that are not diminished by 
high-profile enforcement, such as NBC’s “To Catch a Predator” (where, ironically, 
repeat offenders were encountered because of the insatiable drive in molesters who 
knew or certainly should have suspected that the “children” encountered online 
could easily be undercover police—again). Although law enforcement is making 
strides against cybercrime, it appears that the volume, seriousness, impact, and 
international reach all continue to grow. This means that for those entrusted with 
ensuring a trustworthy workforce, conducting investigations, and gathering intel¬ 
ligence, there are more challenges every day, and ignoring the Internet’s threats and 
opportunities is simply naive and ignorant, as PWC’s 2013 survey suggested. 


Online Venues 

Websites, Internet Relay Chat (IRC), blogs, and hosted group sites have become 
online clubhouses for gangs and organized criminal groups. For example, there 
are over 1,000 sites offering/hosting pirated movies, TV shows, music, and soft¬ 
ware globally. Websites involved in criminal activities like piracy are run, supplied, 
and patronized by millions of persons who are not being arrested or charged. 9 
Perpetrators’ identities might be ascertained by Internet investigations. In some 
cases, their names and virtual identities are widely known, yet they are not brought 
to justice for many reasons, including locations abroad, where cybercrime laws are 
weak, nonexistent, or not enforced. Given the current cybercrime situation, employ¬ 
ers must confront their responsibilities to protect people, assets, and information 


Copyrighted material 



42 ■ Cybervetting 


against candidates for employment whose online misbehavior may be discoverable. 
Unfortunately, most cybercriminals have no arrest record. As with all types of crim¬ 
inal activities, Internet crime runs the gamut from high-impact, violent activities 
like drug trafficking to annoying spam and pop-up ads. Like legitimate businesses, 
criminal enterprises have discovered that automation, networking, e-commerce, 
and Internet anonymity can facilitate efficiency, rapidly scaled marketing, quick 
sales growth, and customer satisfaction. 10 

A good example of organized Internet crime is illicit online pharmaceuti¬ 
cal sales. Large numbers of online pharmacies offer discounted brand-name and 
generic drugs, ostensibly from Canada and Europe, but predominantly from 
Ch ina, India, Russia, East Europe, the Caribbean, and the South Pacific. The aver¬ 
age US consumer, facing high drug prices, cannot easily determine the legitimacy 
of the discount products or websites. US, Canadian, Russian, Chinese, and Indian 
organized criminals offer prescription drugs without a prescription and ship or 
mail medicines to customers who will not know if the pills are poison, counterfeit, 
generic, or the real thing. Even repackaged, diverted products appear in Internet 
pharmaceutical channels. It is a classic case of the web’s ability to host black, gray, 
and legitimate markets, often indistinguishable from each other to customers. 11 


Digital Delinquency 

By its nature, the Internet has spawned illegal activities that are digital. For exam¬ 
ple, sales and bartering of misappropriated content such as films, videos, music, 
audio, software, designs, and other intellectual property have become lucrative 
businesses. Like a criminal form of eBay or craigslist, websites host auctions and 
sales of stolen credit card data and purloined personal identities. New software 
and networking systems have been created to facilitate transfer of large digital files, 
such as Napster and BitTorrent (described as “Download big files fast. Publish and 
sync files of any size.”). 12 

Old-fashioned fencing and duplication of stolen DVDs have been joined by 
high-speed transfer of films’ data files from multiple sites distributed globally. In 
some cases, individual sites host no technically illegal content (e.g., by hosting only 
a part of a pirated film), and only a central controllers permission allows users 
to access, download, verify, and reassemble the whole thing. Some criminal sites’ 
sophisticated uses of authentication, encryption, compression, and high-bandwidth 
transmission at times exceed the norm of commercial Internet services. 


"Free" Intellectual Property 

Although copyright violations are illegal, especially for commercial rather than 
personal use, Internet file sharing has given rise to a quasi-religious belief that 


Copyrighted material 



Use and Abuse: Crime and Misbehavior Online ■ 43 


information should be free. Large groups of people think that they have a God-given 
right to all the information accessible to them. Profound changes in music, film, 
TV, and software production have been necessitated by technological challenges 
to digital property rights protection (known as digital rights management, DRM). 
The blogosphere resounds with philosophical wars—some of which have resulted 
in retrenchment by entertainment companies—when digital rights are asserted 
and enforced using new technologies. Ironically, it is not the American National 
Security Agency (NSA), British Government Communications Headquarters 
(GCHQ), or Russian FSB (Federal Security Service; KGB) cryptographers who are 
most energized when new commercial encryption is deployed to protect movies, 
tunes, and software. An entirely new class of “amateur” cryptographers has learned 
how to attack copyright protections, cooperating internationally and overcoming 
language, mathematical, and technical barriers to break controls on digital goods . 13 
In this context, it becomes clear that intellectual property protections and well- 
established legal principles are at considerable risk. 

Large numbers of Internet users have been quickly mobilized to denounce 
DRM controls, resulting in entertainment companies like Sony choosing to rescind 
built-in protections . 14 While dwelling on the reasons for the failure of technol¬ 
ogy to solve the digital rights conundrum is not necessary here, to be fair, one 
must allocate some blame to the inadequacy of the technical solutions themselves. 
The subclass of attackers with large-scale, commercialized criminal operations has 
benefitted from the anticontrol feelings. This subclass threatens both government 
and business employers, as well as the companies whose goods they misappropri¬ 
ate. Not only do Internet-facilitated illegal acts create risks for enterprises, but also 
the cybercrimes themselves skew society’s ability to detect, measure, assess, and 
respond to the types of crime problems that arise. Cybercrime is a category of secu¬ 
rity risk requiring in-depth study in its own right. For purposes of this review, it is 
necessary to recognize these key attributes: 

■ Law enforcement struggles with prevention and enforcement of Internet 
crimes because international, federal, state, regional, and local police juris¬ 
dictions are physical, not virtual, and “Internet patrol” has not yet arrived. 

■ Rapid evolution of Internet crimes (e.g., phishing, which is the use of spam 
to entice victims online) often defeats enforcement by the speed, scale, geo¬ 
graphic dispersal, and anonymity of the crimes. 

■ Because the Internet is global, anti-cybercrime enforcers are often unable to 
bring perpetrators to prosecution. When prosecutions occur, the scale of vio¬ 
lations documented (e.g., in seized computer hardware and records) often 
results in identified perpetrators who are not prosecuted because they are 
abroad, too numerous, or deemed not to be leaders or for other reasons. 

■ Prosecutorial choices (e.g., concentrating resources on child exploitation 
crimes instead of identity frauds) may result in relatively large numbers of 
cybercriminals who are not prosecuted and crimes not investigated or not 


Copyrighted material 



44 ■ Cybervetting 


fully investigated. “White-collar” crimes online at times are prioritized lower 
than violent crimes and so receive fewer criminal justice resources. 

■ Criminal and civil cases’ digital records often contain evidence of wrongdoing 
not ultimately resulting in recorded sanctions, such as arrests and convictions. 

■ Corporate security investigations are an essential part of Internet criminal 
enforcement and vital to law enforcement success in many types of cybercrime, 
such as external computer system attacks. Corporations therefore are stake¬ 
holders and decision makers in many types of online crime. Only a minority 
of crimes detected by corporate security staffs are reported to law enforcement. 

■ Personnel security—heretofore relying on the criminal justice system to 
record prior criminal activity—faces the probability that cybercriminals have 
no prior criminal record. Further, private databases are more likely than pub¬ 
lic ones to hold evidence of prior misbehavior, on- or offline. 

It is important to recognize the role of hackers and crackers in cybercrime. 
Hackers are people who have made themselves familiar with the way computers 
and related devices work. Hackers can therefore use digital devices in more expert 
ways than the rest of us. Sometimes, you will hear the terms white-hat hacker, gray- 
hat hacker, or black-hat hacker, imitating the gray and black market concepts. Like 
the term hacker, these terms are used loosely but may refer to those who dabble in 
risky but not illegal (gray) activities and those who engage in illegal (black) acts 
online. Hacking is not illegal per se and in fact is critical to IT security. The fed¬ 
eral Computer Fraud and Abuse Act (among others) forbids unauthorized access 
to computers for an illegal purpose or with damaging impact over a certain dol¬ 
lar amount. Crackers are those who use computers and code to commit criminal 
acts—something hackers could choose to do, but for the most part do not. It is 
necessary to understand that, among the cultural groups that have arisen in the 
Internet age, hackers are the group most likely to offer society the solutions needed 
to protect computing going forward—thus the term white-hat hacker. They are also 
the ones with the skills to subvert systems without anyone knowing it. Sometimes, 
we refer to hackers by the more common terms IT staff and programmers . 


The Insider 

The place of automation in an enterprise raises profound questions with regard 
to criminal insiders. Only one malicious employee with access to enterprise IT 
systems can compromise the most valuable assets, especially with privileged access 
such as that enjoyed by the IT systems administrators. As business and govern¬ 
ment systems over the past two decades have increasingly housed vital intellectual 
resources, the risk of loss from insiders has increased. Yet, few agencies and firms 


Copyrighted material 



Use and Abuse: Crime and Misbehavior Online ■ 45 


ask detailed questions of applicants about prior Internet activities and confirm their 
answers by systematic checking. Most employers grant employees full IT systems 
access from their first day on the job, which increases the risk that people with 
prior online criminal behavior may threaten the enterprise. Monitoring of com¬ 
puter systems, networks, and data often has the fatal flaw of assuming authorized 
users are not engaged in illicit activities, even though statistics often show that 
employee crime, errors, and account takeovers from external attacks are costly 
to enterprises . 15 Leaving the risk of insider computer crime unaddressed is no longer 
acceptable, especially if high-value data reside online. 

As use of digital evidence and electronic records in investigations has grown, 
most large employers have faced the realization that their own data may become 
damaging evidence against them. An employee engaged in cybercrimes while “on 
duty” puts the employer in jeopardy of criminal or civil charges, and e-mails, true or 
untrue, can become powerful evidence of misbehavior attributable to the enterprise. 
Yet, only a small percentage of employers have made a connection between the fac¬ 
tors that correlate users’ on-the-job and personal computer habits. For example, sev¬ 
eral trends are well known but not considered in the context of risk to the enterprise: 

■ Indiscreet, blatant documentation of inappropriate behavior is common on 
social sites like Facebook and MySpace. Can someone so indiscreet maintain 
professional discretion at work? 

■ Exchanges of copyrighted works in digital form—especially films, music, 
video, and software—without paying for them are rampant. Will workers with 
such habits choose to protect their employers’ digital intellectual property? 

■ As Internet advertising and marketing illustrate (and the decline of print 
media reflects), networking through large numbers of professional contacts 
is key to enterprise reputation and market rank. As today’s highly mobile 
workforce shuttles to their next employer, will they bring these connections 
with them digitally or leave them with their former employer (to whom they 
may literally belong, if they are on a customer list)? 

These are only a few of many possible examples. When enterprises are depen¬ 
dent (as most are) on IT systems, networks, and data, the individual user’s online 
choices assume greater importance. “Humorous” e-mails can turn into damning 
evidence in court. Digital evidence is long lived, searchable, retrievable, often avail¬ 
able to a legal adversary, and dependent on the input of every employee (even the 
ones with the worst sense of humor). 

Despite the trend toward indiscreet (potentially self-damaging) online revela¬ 
tions and misbehavior, most employers do not address candidates’ online habits 
directly. Screening, orientation, training, and monitoring can mitigate these risks, 
but strategic changes in personnel security are necessary to address them. 


Copyrighted material 



46 ■ Cybervetting 


Misbehavior Online 

It appears that, like cybercrime, misbehavior (illicit, socially unacceptable acts) 
online are rising. People in a position of heavy responsibility, high visibility, power, 
or authority, such as law enforcement and intelligence officers, politicians, celebri¬ 
ties, chief executives, or tax collectors, should carefully consider any public Internet 
posting. Any posting must meet the '‘grandmother test” (i.e., be suitable for display 
to grandma). However, permanently damaging revelations about such incredibly 
stupid misbehavior abound. For example 16 : 

An Albuquerque police officer shot and killed a suspect during a traffic stop in 
2011. He had listed his job description on his Facebook page as “human waste dis¬ 
posal.” An attorney sought to obtain access to 57 officers’ Facebook pages to see if 
they had discussed the shooting. ITie officer involved later said that his Facebook 
posting was “extremely inappropriate and a lapse in judgment on my part.” 

A Peoria, Arizona, police officer was disciplined after posting a photograph on his 
Facebook page of a President Barak Obama tee shirt riddled with bullet holes with 
a line of seven men displaying handguns and assault rifles. The Secret Service and 
the officer’s department launched inquiries after the photo was posted. The officer 
was demoted and suspended by the department because of his violation of its social 
media policy and because he discredited the department. 

The discipline was upheld following the officer’s appeal of the demotion. 

A Chandler, Arizona, police officer was terminated by the department for main¬ 
taining a sexually explicit website featuring himself and his wife; the site was 
operated for money—without any kind of message or social/political commen¬ 
tary—thereby bringing discredit to the city service. A federal appeals court ruled 
that the officer “may have the constitutional right to run his sex oriented business, 
but he has no constitutional right to be a policeman for the City at the same time.” 

Like the other examples of notorious conduct online (e.g., the reference in 
Chapter 1 to Congressmen Lee and Weiner in 2011), it appears that people with 
authority must be especially careful about the possibility of exposure. Their employ¬ 
ers also have reason to be concerned because no matter how responsible a persons job 
may be, there is still a possibility that a seriously damaging online incident can occur. 


Notes 

1. UN Comprehensive Study on Cybercrime, Draft—February 2013, http://www.google. 
com/url?sa=t&rct=j&q=&esrc=s&frm= 1 &source=web&cd= 1 &cad = rja&ved = 0CC 
kQFjAA&;url=http%3A%2F%2Fwww.unodc.org%2Fdocuments%2Forganized- 

crime%2FUNODC_CCPCJ_EG.4_2013%2FCYBERCRIME_STUDY_210213. 
P df&ei = lLSTUomMBYvjoATe_YDADQ&usg=AFQjCNFoJTRP-PIsyx„ 
BHuRMx7J-JPBvQ&bvm=bv.57127890,d.b2l (accessed November 25, 2013). 


Copyrighted material 



Use and Abuse: Crime and Misbehavior Online ■ 47 


2. Motta, Thomas G., FBI Digital Evidence section chief, address to Law Enforcement 
Information Management, International Association of Chiefs of Police (IACP) 
Conference, Nashville, TN, May 8, 2008, and briefings to subsequent meetings of the 
IACP Computer Crime and Digital Evidence Ad Hoc Committee. 

3. Comey, James B., director, FBI, Statement Before the Senate Committee on Homeland 
Security and Governmental Affairs, Washington, DC, November 14, 2013, http:// 
www.fbi.gov/news/testimony/homeland-threats-and-the-fbis-response (accessed 
November 25, 2013). 

4. 2012 Internet Crime Report, Internet Crime Complaint Center, FBI and National 
White Collar Crime Center, May 2013, http://www.ic3.gov/media/annualreport/2012_ 
IC3Report.pdf (accessed November 15, 2013). 

5. UN Comprehensive Study on Cybercrime, Draft—February 2013. 

6. 2013 US State of Cybercrime Survey, PWC, June 2013, http://www.pwc.com/us/ 
en/increasing-it-effectiveness/publications/us-state-of-cybercrimc.jhtml (accessed 

November 25, 2013). 

7. Computer Security Institute-FBI Annual Computer Crime Survey, http://gocsi.com/ 
survey (accessed August 8, 2010). 

8. Bureau of Justice Statistics, National Computer Security Survey, 2005, http://bjs.ojp. 
usdoj.gov/index.cfm?ty=dcdetail&iid=260 (accessed August 8, 2010). 

9. Stahl, Lesley, Video Pirates, the Bane of Hollywood, 60 Minutes, CBS, November 1, 
2009, http://www.cbsnews.eom/stories/2009/10/30/60minutes/main5464994.shtml 
(accesse dj une 1, 2010). 

10. Sarno, David, The Internet Sure Loves Its Outlaws, Los Angeles Times , April 29, 2007. 

11. My Internet investigations over the past 8 years have included online pharmacies’ ille¬ 
gal sale of brand-name and generic drugs to US customers, with and without requiring 
prescriptions, mailing/shipping prescription drugs and controlled substances directly 
to consumers in contravention of federal and state laws and ethical medical practice. 

12. BitTorrent self-description, http://www.bittorrent.com/ (accessed November 25, 2013). 

13. Based on 28 years of my experience with cryptography and news media reports. 

14. Holahan, Catherine, Sony BMG Plans to Drop DRM, Business Week , January 4, 2008, 
describes the decision by Sony BMG Music Entertainment to drop DRM software 
included with music to prevent its download over the Internet and compete with Apple’s 
iTunes for sale of downloaded music. Sony was the last of the top four music labels to 
drop DRM. A 2005 version of Sony’s DRM software included in each CD automatically 
installed controls on users’ personal computers that reportedly created vulnerabilities to 
viruses, which prompted a boycott and lawsuits (BusinessWeek.com, November 29, 2005). 

15. Bolshaw, Liz, Personal Devices Pose Biggest Threat to Corporate Security, Financial 
Times , November 15, 2013, http://www.ft.eom/intl/cms/s/0/e4b53190-4b82-l Ie3-a02f- 
00144feabdc0.html#axzz2kipWPkM2 (accessed November 16, 2013). Checkpoint’s sur¬ 
vey showed that 93% of US and UK companies use mobile devices to connect to corporate 
networks, while 67% allow employees to connect personal devices. Detwiler, Bill, Field 
Guide: Types of People Behind Today’s Corporate Security Ifireats, ZDNet, December 
2013, http://www.zdnet.com/field-guide-types-of-people-behind-todays-corporate- 
security-threats-7000023802/ (accessed December 4, 2013). ZDNet’s field guide to help 
corporations identify and defend against security threats noted that employees are often a 
company’s greatest security threat, through deliberate or accidental acts. 

16. Pettry, Michael T, supervisory special agent, FBI, presentation to International Association 
of Chiefs of Police, Legal Officers’ Section, September 29, 2012, San Diego, CA. 


Copyrighted material 



Copyrighted material 



Chapter 4 

Internet Search Studies 


Introduction 

Important questions about cybervetting have remained unanswered for several 
years, and until recently, compelling evidence has been lacking about the neces¬ 
sity and value of cybervetting to an enterprise. A key question is what kind of 
results Internet searches will produce when they are added to the evaluative process 
for background investigations and other personnel security measures. Two recent 
studies—published here for the first time—shed light on the answers needed to 
make valid risk management decisions. 

Until now, research has not produced much evidence about the pros and cons 
of cybervetting. Articles pointing out that employers’ cybervetting risks discrimi¬ 
nation, erroneous judgment, and possibly putting oft good potential candidates 
provide little but speculation about the practice and its possible results. To protect 
the privacy of social networkers and the rapidly developing new media through 
which their online networking is occurring, some academics, legal scholars, and 
journalists even go so far as to suggest that publicly posted information should not 
be used by potential employers. 1 2 Fortunately, several recent legal articles have out¬ 
lined best practices for employers to avoid legal, ethical, privacy, and policy pitfalls. 
Best practices are treated in detail later in this book. 

To determine whether cybervetting is necessary and desirable, it would be good 
to determine answers to the following questions: 

1. Can Internet searches be thorough and accurate enough to provide useful 
intelligence about the subjects most of the time? 

2. Are substantive issues found frequently enough to justify cybervetting? 


49 


Copyrighted material 


50 ■ Cybervetting 


3. Does cybervetting often provide leads or indicators that can help identify 
and assess issues, or provide investigative sources, for information relating 
to candidates? 

4. Is cybervetting cost-effective (efficient)? 

Two studies are presented here in an attempt to shed light on the possible 
answers to these questions (and some others, including where online most sub¬ 
stantive issues may be found). The first is an academic exercise conducted with 
about 300 volunteers, and the second is a review of over 700 cases in which online 
investigations were conducted by my firm, iNameCheck. Although it is early in 
the history of cybervetting to suggest that the results presented here are dispositive, 
the studies provide valuable indicators of the need for, and prospects for success of, 
routine cybervetting of candidates and employees. Ihe efficiency of cybervetting 
was not addressed by the two studies. 


Academic Study 

The discussion that follows summarizes the results of a study 2 conducted to ascer¬ 
tain how many volunteers from a population of university students would be found 
to have issues identified by Internet searching that could preclude their employ¬ 
ment or a clearance under the federal Adjudicative Guidelines for Determining 
Eligibility for Access to Classified Information (Guidelines). 3 In summary, the pre¬ 
clusive items in the guidelines are as follows 4 : 

Lack of allegiance to the United States', treason, sabotage, anti-US acts, extremism 
Foreign influence : foreign relatives, relationships, sympathies, or coercion 
Foreign preference : dual citizenship, loyalty to another nation or anti-US group 
Sexual behavior : illegal or unbalanced behavior, coercible (not sexual preference) 
Personal conduct: dishonesty, bad judgment, unreliability, rule violations 
Financial considerations: financially overextended, dishonesty, unexplained affluence 
Alcohol consumption: driving under the influence (DUI), drunk and disorderly, 
frequently drunk, binge drinking 

Drug involvement: illegal drug use/dealing, dependency, drug abuse 
Psychological conditions: emotional disorders, mentally ill, unreliable or unstable 
Criminal conduct: a serious or multiple minor crimes, whether or not 
charged/convicted 

Handling protected information: disclosure of or failure to protect classified/ 
sensitive information properly 

Outside activities: conflicts in employment (foreign), loyalty, or protecting clas¬ 
sified data 

Use of information technology (IT) systems: illegal/noncompliant acts, unauthor¬ 
ized use 


Copyrighted material 



Internet Search Studies ■ 51 


For each of these issues, the guidelines take into account factors surrounding 
the conduct observed, including its seriousness, frequency, recency, nature of par¬ 
ticipation by the subject, and the likelihood of recurrence. A recent or recurring 
pattern of questionable judgment, irresponsibility, or emotionally unstable behav¬ 
ior can itself be disqualifying. Evidence is to be collected and considered both on 
possible misbehavior and on all mitigating circumstances, so that a balanced judg¬ 
ment can be made. In my experience, adolescent misjudgments, minor drug exper¬ 
imentation, drinking while partying, and similar incidents, provided they took 
place some time ago, were not repeated and do not represent a pattern of continued 
behavior, are not normally disqualifying for federal clearances. Also in my experi¬ 
ence, the federal governments guidelines provide the most comprehensive and fair 
framework by which candidates for highly responsible positions can be evaluated. s 

Study Summary 

Student volunteers from across the Michigan State University (MSU) campus 
participated in a cybervetting study sponsored by the Defense Personnel Security 
Research Center (PERSEREC) and managed by Dr. Thomas J. Holt of MSU and 
iNameCheck (my firm). Information provided by volunteers (who received noth¬ 
ing for participation) was used to generate Internet searches to ascertain whether 
the types of concerns in the Adjudicative Guidelines could be identified with 
participants in public postings online. Of the 298 participants who responded to 
the solicitation, 28, or 9.4%, were identified whose postings online raised substan¬ 
tive issues for a background investigation. Fifty-three percent, or 158 of the par¬ 
ticipants, failed to provide complete or accurate information on their study forms. 

The participants were asked to provide their name, nicknames, sex, home mail¬ 
ing address, e-mail addresses, user names (not passwords), websites where they have 
accounts, and school. Most of the volunteers came from classroom solicitations by 
instructors using handwritten forms, with about 20% filling out electronic forms 
in response to e-mail solicitations. 

All participants’ information was researched online, and a report was compiled 
only on each individual about whom significant issues of potential concern were 
found (i.e., reports of findings deemed derogatory). A copy of the report was sent via 
e-mail to each volunteer with such Internet search findings. Redacted copies of the 
reports on findings deemed derogatory were provided to MSU’s principal investiga¬ 
tor and to PERSEREC (i.e., the redacted reports did not identify the individuals or 
provide information that would lead to their identification). Documents on indi¬ 
viduals about whom derogatory information was developed were not disseminated, 
and the participants’ identities will be protected. Those about whom no substantial 
derogatory information was found were sent an e-mail advising them of that fact. 

Within the 28 reports containing derogatory findings, half (14) contained com¬ 
ments related to alcohol abuse, although other issues were identified. Following is a 
list of issues found and the number of participants with that issue: 


Copyrighted material 



52 ■ Cybervetting 


Alcohol abuse: 14 

Drinking was depicted in photos, text, and videos. 

Profanity, biased and vulgar postings: 10 

Text containing offensive language was repeated multiple times. 

Illegal drug use: 8 

Marijuana use, “liking” illegal drugs, and references to being stoned were 
considered. 

Mental health issues: 2 

Two individuals posted about their mental health problems. 

Overdosed prescribed drugs, suicidal: 1 

Two overdoses led to suicidal thoughts several months before. 

Software piracy: 2 

References to misusing copyrighted materials were present. 

Possible misuse of IT skills: 2 

Advanced IT skills accompanied by other misbehavior occurred. 

Possible academic cheating: 2 

Contents of an MSU test were posted and a test and notes website recommended. 

Arrest: 1 

An individual posted that his arrest was due to “self-defense.” 

Use of malware: 1 

A “how-to” on using malicious code was posted. 

Foreign affiliation: 1 

A student’s link to a foreign embassy was posted on the embassy website. 

E-mail used for online scams: 1 

A student’s e-mail address was apparently hijacked and used in scams. 

Refused to stop offensive postings: 1 

A female with multiple offensive postings refused her family’s advice to stop and 

cut off their access to her postings, which remained publicly accessible. 

(More than 1 of the 46 issues identified in some instances applied to an individual.) 

Among the 28 respondents with issues, 10 were female (7.3% of females par¬ 
ticipating) and 18 were male (11.2% of males participating). Twitter and Facebook 
were the websites where most of the issues were found, with a variety of others, 
including photo and video posting sites such as Flikr, Photobucket, and YouTube, in 
more than one case. A white paper was furnished to all participants, “Safeguarding 
Your Reputation Online,” with links to resources about the topic. 

The results appear to support the proposition that cybervetting can be pro¬ 
ductive in identifying issues that could disqualify a candidate from a clearance 
or employment, or require customized orientation and training to ensure that a 
new employee understands the employer’s standards for online behavior on work 
and personal computer systems. Although all the volunteers knew that an Internet 


Copyrighted material 



Internet Search Studies ■ 53 


search would be conducted, 9.4% had postings of concern that could readily be 
found online. The 28 individuals identified did not include persons whose postings 
contained only vulgar or profane language, gay or lesbian sexual preference, or 
juvenile pranks except when accompanied by other factors specified in the guide¬ 
lines. A few of the 28 were identified because of issues that, although not indicative 
of misbehavior, apparently would need to be resolved during background investiga¬ 
tions. Note that contents of the 28 cybervetting reports would be included with 
other investigative results (e.g., verification of education and employment), possibly 
could result in additional leads in background investigations, and might not neces¬ 
sarily result in disqualification of a candidate after vetting was completed. 

A majority (53%) or 158 of the volunteers failed to furnish complete and accu¬ 
rate information about their online activities, making it more difficult to deter¬ 
mine their questionable behaviors online. Missing on their forms were such items 
as websites and user names, and a few failed to provide their complete names and 
other identifiers. However, all participants were identified through online research. 
This lack of candor could inhibit the efficiency and effectiveness of a cybervetting 
program or raise issues about the honesty of individuals who fail to provide com¬ 
plete and accurate information as required on application forms. It is unclear if 
the respondents simply did not provide such information because of the voluntary 
nature of the study, as compared to a job application, for which certain information 
must be given. Some simply may have forgotten to list websites that they no longer 
used. Because fair and ethical cybervetting should include notice, acceptance, and 
some information collection from the candidate, forms that are likely to elicit the 
information required for Internet searches from all candidates should be used. 

The most frequented websites, according to the participants themselves, who 
ranged from 18 to 43 years old (but were mostly closer to 18), were Facebook, 
Twitter, MySpace, Yahoo, Google, YouTube, StumbleUpon, Linkedln, Tumblr, 
Pinterest, and Amazon. In view of this relatively limited number of frequented 
websites, it should be possible to automate Internet searches to capture a high per¬ 
centage of postings while limiting the cost of adding cybervetting to background 
investigations. Note that to date, analysts are needed in conjunction with auto¬ 
mated collection to ensure that references included in cybervetting reports are not 
false positives. 

The study results suggest that background investigations of people within a 
comparatively modest, yet demonstrably well-educated, group of young people 
(ostensibly intelligent, serious, and well motivated) that do not include cybervetting 
may miss substantive issues in an applicant’s background. MSU graduates would 
seem to be among those considered ideal potential candidates for government jobs. 
In addition, elicitation of candid responses from applicants to questions about their 
user names and online activities to fully investigate an individual’s background 
online could pose a challenge. 


Copyrighted material 



54 ■ Cybervetting 


iNameCheck Cybervetting Case Study 

I conducted a second study by reviewing all of the investigations of my firm, 
iNameCheck. The goal was to find those background investigations conducted on 
individuals who were not suspected of misbehavior, illegal activities, or the like. The 
group of inquiries selected comprised applicants or candidates for positions and sub¬ 
jects of due diligence and legal support investigations. Each investigation included 
reviews of information found online that could have an impact on a judgment 
about the persons suitability for employment, reliability, trustworthiness, or the 
like (i.e., cybervetting). To provide an objective means of determining that results 
were either derogatory or not, the Adjudicative Guidelines outlined were adopted 
as an assessment tool. In each case reviewed, minor issues (e.g., old traffic citations, 
single instances of posting crude language, common debt problems, and the like) 
were deemed insufficient grounds for a negative finding. However, for purposes of 
this study, a large number of such minor issues or aggravated instances (e.g., DUIs, 
repeated use of racist or profane postings, bankruptcy, multiple civil lawsuits, liens 
or judgments, and flagrant, repeated recent misbehavior) were deemed derogatory, 
as were substantial issues needing resolution through further inquiry. 

Over 1,900 iNameCheck cases were reviewed, and 736 cases on people (70% 
male, 30% female) were found for which cybervetting was used in the subjects’ 
background investigations, which were done without prior suspicion of wrong¬ 
doing or derogatory information. Subjects who were suspected of wrongdoing 
or who were investigated for a purpose unrelated to an assessment of suitability 
(e.g., attempts to locate an individual) were not included in the study. Reports of 
findings in the 736 investigations were reviewed, and 232 (31.5%) contained sub¬ 
stantial derogatory information concerning the subject. Derogatory findings were 
present in the cases of 66 females (28.4% of negative findings, 30% of females 
investigated, and 8.96% of all 736 reports) and 166 males (71.6% of negative find¬ 
ings, 32.2% of males investigated, and 22.6% of all 736 reports). Note that the 
percentage of cases with findings of derogatory information in this batch of cases 
was substantially higher than one might expect, as 6% to 10% of reports from a 
presumably innocent population would normally be expected to have substantially 
derogatory findings. One implication of these results is that including cybervetting 
in background investigations could uncover substantial issues for about 30% of a 
group of candidates—three times the rate for the college students. 

Tables 4.1 and 4.2 show the nature of the derogatory findings, broken down 
by male and female subjects, respectively. Financial, foreign influence, and crimi¬ 
nal issues formed the most frequent of derogatory findings. Misbehavior and bad 
judgment, shown by a pattern of civil suits, misdemeanors, and alcohol and drug 
abuse, were also present, as expected. Because the guidelines were used as a thresh¬ 
old for identifying issues, it is possible that individual cases would be resolved in 
the subject’s favor on review and adjudication. However, cases involving glaring or 
unresolved substantial issues were identified and categorized as set out previously. 


Copyrighted material 



Internet Search Studies ■ 55 


Table 4.1 Male Derogatory Findings 


Number 

Issue 

Other Issues 

58 

Financial, including unpaid debts 
or unexplained affluence 

8 with criminal issues, 

2 judgments 

40 

Criminal issues, including arrests, 
convictions, illicit acts 

13 financial, 1 sex-drugs, 

1 judgment 

27 

Bad judgment, including 
lawsuits, misbehavior online 

Sexual, criminal, racism issues 

18 

Foreign allegiance, influence, and 
preference 


7 

Alcohol, 1 with criminal acts and 
financial mismanagement 


6 

Sexual misbehavior with alcohol, 
drugs, and criminal acts 


5 

Misbehavior (e.g., lawsuits) with 
bad judgment, illegal acts 


3 

Drugs, 1 with criminal acts, 1 bad 
judgment 


2 

Mental issues 


166 

Total number of derogatory 
subject reports 



Table 4.2 Female Derogatory Findings 


Number 

Issue 

Other Issues 

22 

Financial issues, 6 with criminal issues as well 


14 

Foreign allegiance, influence, and preference 


11 

Criminal issues, 3 also financial issues 

1 alcohol issue 

6 

Misbehavior (2 radical acts, 2 sexual issues) 

1 alcohol issue 

4 

Egregious bad judgment (e.g., sexual postings) 


4 

Alcohol issues, 1 also drugs 


3 

Sexual issues, 1 pornography 


1 

Drugs 


1 

Mental issues 


66 

Total number of derogatory subject reports 



Copyrighted material 





56 ■ Cybervetting 


When one eliminates foreign allegiance, influence, or preference from the nega¬ 
tive evaluations (primarily US government issues), 148 males with issues remain 
(28.7% of the males investigated) and 52 females (22.6% of the females investi¬ 
gated), meaning that 27.2% of all those investigated had derogatory findings. 

The implications of this review of iNameCheck cases include a high probability 
that online evidence will be found of substantial issues to be resolved, prior to hir¬ 
ing, promoting, clearing, or otherwise deciding to trust someone, based on cyber¬ 
vetting. Although cybervetting was used in the findings cited here, sources such as 
criminal records; court records; acquaintance, employer, and teacher interviews; 
and similar “traditional” investigative steps would also be expected to yield many 
of the same findings. Cybervetting was found in many of the cases reviewed to 
provide leads that could be used to verify or add details to issues identified, such as 
through physical reviews of records found electronically or interviews with a sub¬ 
ject’s social networking friends. Although it is not possible to accurately speculate 
on how many of the issues identified might not be found in a traditional investiga¬ 
tion without cybervetting, it is safe to say that the 31.5% negative findings (27.2% 
without foreign influence issues) are a bright red flag, suggesting that cybervetting 
is a due diligence necessity. 

Based on the results of both studies, here are a few important observations 
on cybervetting: 

■ A significant number of issues could go unidentified without cybervetting. 

■ Some of the issues that might go unidentified, including drug and alcohol 
abuse, arrests, convictions, civil suits, financial instability, and misbehavior 
online, could lead to significant problems on the job or in a position of trust. 

■ Online misbehavior issues identified through cybervetting could be expected 
to reappear as a person uses an employer’s computers, networks, and data. 
Failure to discover such issues and address them in orientation, training, and 
on-the-job monitoring of those hired could expose an employer to significant 
security risks—think of Edward Snowden and Robert Hanssen. 

■ Intelligence and leads gleaned from a cybervetting program, handled prop¬ 
erly, enable an authority to identify and address risks with candidates prior to 
their appearance later, on the job. 

■ Failure to look for and find obvious online issues could subject an enterprise 
to losses, damage, and legal sanctions for neglecting to exercise due care in 
personnel security, including vetting. 

In my view, my company’s 8 years of experience in applying cybervetting to 
the practice of investigations have yielded much stronger results than those investi¬ 
gations would have produced without online searching. Although it is understood 
that some government agencies, private businesses, universities, and organiza¬ 
tions still do not use cybervetting, particularly in background investigations, it 
appears that they are taking a serious risk by failing to do so. Based on the results of 


Copyrighted material 



Internet Search Studies ■ 57 


cybervetting outlined here and elsewhere in this book, the evidence for its necessity 
is overwhelming. Further, it is clear to me that the costs for failing to include cyber¬ 
vetting in personnel security and background investigations will be substantially 
higher than that for incorporating the practice into existing programs. 


Notes 

1. Jodka, Sara H., The Dos and Don’ts of Conducting a Legal, Yet Helpful, Social Media 
Background Screen, Law Practice Today (American Bar Association monthly magazine), 
September 2013, http://www.americanbar.org/content/newsletter/publications/law_ 
practice_today_home/lpt-archives/septemberl3/the-dos-and-donts-of-conducting- 
a-legal-yet-helpful-social-media-background-screen.html, (accessed November 26, 
2013). Clark, L., and Roberts, S., Employers Use of Social Networking Sites: A 
Socially Irresponsible Practice, Journal of Business Ethics , 2010, http://homepages. 
se.edu/cvonbergen/files/2013/0 l/Employer%25E2%2580%2599s-Use-of-Social- 
Networking-Sites_A-Socially-Irresponsible-Practice.pdf (accessed January 20, 2014). 

2. Holt, Thomas J., and Appel, Edward J., Sr., Detecting and Assessing Online 
Misbehavior by Candidates and Employees of DoD: Phase II—Identifying Issues of 
Concern through Automated Internet Searching, an unpublished study conducted 
by iNameCheck (authors firm) and Michigan State University College of Criminal 
Justice, December 2012, for the US Department of Defense Personnel Security 
Research Center. 

3. Code of Federal Regidations , Government Printing Office, July 2012, http://www. 
gpo.gov/ fdsys/ pkg/ CFR-2012-title32-vol 1 / xml/CFR-2012-title32-vol 1 -parti 47.xml 
(accessed January 28, 2014). See Chapter 9. 

4. Terminology is mine, derived from the guidelines (not the official version). 

5. When I was assigned to the National Security Council, I led an interagency group 
that rewrote the guidelines during the Clinton administration, about 1996; these were 
approved by the president and have withstood the test of time ever since. 


Copyrighted material 



Copyrighted material 



Chapter 5 


Implications 
for the Enterprise 


Introduction 

Surveys, media reports, and quotations suggest that because of online misbehavior, 
some employers are adding Internet searches to prehiring background investiga¬ 
tions. 1 Although studies of what is often called “social media vetting” vary on the 
percentage of employers, recent surveys have verified indications over the past sev¬ 
eral years that many employers do some form of cybervetting: 2 

In 2011, the Society for Human Resource Management found 56% of employers 
reported using social media in hiring. 


A June 2013 nationwide survey by CareerBuilder found 43% of employers who 
vetted applicants online did not hire an applicant based on information found 
online, including 

■ 50%—Posting provocative/inappropriate photos or information; 

■ 48%—Posting about drinking or using drugs; 

■ 33%—Badmouthing a prior employer; 

■ 30%—Bad communication skills; 

■ 28%—Making discriminatory comments related to race, gender, religion, 
and so on; 

■ 24%—Lying about qualifications. 


Of employers, 19% found online information that supported hiring candidates. 


59 


Copyrighted material 


60 ■ Cybervetting 


However, the media reports appear to indicate that most private- and public- 
sector employers lack several key ingredients necessary for fair, legal, and appropri¬ 
ate use of Internet searching for hiring adjudications, including a written policy, 
procedures, antidiscrimination measures, search methodology, adjudication meth¬ 
ods, notice to applicants, consent (as currently used for background investigation 
interviews with prior employers or schools), and an opportunity to correct adverse 
findings. 1 2 3 Ihese and certain other procedures would insulate an employer from 
potential liabilities arising from Internet searching, including possible violations of 
the Fair Credit Reporting Act and Equal Employment Act. Without proper pro¬ 
cedures and safeguards, an employer’s human resources and other decision makers 
might use Internet searches and the results thereof inappropriately. 

A related trend is for employers to spend considerable sums on systems to monitor 
their employees’ use of work information technology (IT) systems for online mis¬ 
behavior, blocking access to certain Internet sites, filtering and archiving e-mail, and 
even key logging. 4 In recent years, the costs of litigation, losses, and reputational dam¬ 
age to enterprises that failed to control employees’ systems misuses have skyrocketed. 


The New User: Someone You Would Trust? 

Background investigations, combined with resumes, applications, interviews, and a 
“whole-person” evaluation of eligibility, qualifications, experience, and compatibility 
with the enterprise, are the current gold standard for hiring the best candidates. Like all 
investigations, vetting allows an employer to consider facts and observations in mak¬ 
ing a decision. When the open position has multiple applicants, the goal is choosing 
among those most competitive and likely to succeed. The applicants profile—factual, 
verified, and analyzed—is the basis for adjudicating whether to hire the individual. 
In this context, analysis of prior computer/Internet use has somehow been omitted 
by many employers. Most US employees (62% in 2008) use the Internet or e-mail at 
work, and nearly all of those own personal cell phones and computers, according to a 
Pew Internet and American Life study. About 45% of employed Americans reported 
doing at least some work from home in a 2008 Pew survey. 5 In considering the impact 
of automation on employees, several recent trends are significant: 

1. Most US workers come into a job with prior online experience. 

2. Most US workers are granted immediate access to their new employer s 
IT systems. 

3. The “networked worker” of today is much more likely to use computers and 
devices to accomplish a mix of personal and professional tasks throughout 
the day, whether it is a workday or day off and whether during work hours or 
in off-hours. 

4. Workers carry networked devices, including cell phones, laptops, and tablets, 

and are likely to bring them to work. 


Copyrighted material 



Implications for the Enterprise ■ 61 


Employers have a variety of issues to address with today’s workforce in relation 
to their computer, network, and data use, among which are the following: 

■ Ascertaining and evaluating employees level of experience and expertise with 
computers, applications, and processes, especially as those relate to job tasks. 

■ Assessing employees’ awareness of computer system security, IT hygiene, 
history of online safety, and potentially threatening habits (e.g., using risky 
websites or exchanging provocative content). 

■ Including candidates’ online experiences in the background vetting pro¬ 
cess, to ascertain and evaluate eligibility for access to the employer’s systems 
(in light of established authorized use policy [AUP]) and potential need for 
extraordinary orientation and training, should the candidate’s history suggest 
the need for the same. The inclusion of online history in vetting is neither 
trivial nor simple; hence, it will be treated in depth in later chapters. 

In confronting the issues described, the employer must weigh the relative criti¬ 
cality and value of enterprise data, computing and networking infrastructure, as 
well as the risks inherent in potentially allowing employees to use the employer’s 
systems however they wish. Although today’s enterprises, including many small 
businesses (i.e., those with up to 500 employees), have robust IT security built in, it 
is not unusual to find that the individual authorized user has a great deal of discre¬ 
tion in using work systems and interconnecting from outside the enterprise. 

There is a long list of potential problems and risks associated with enterprise 
computing. The user poses the single greatest risk because he or she can often defeat 
even the best security measures. Unless the employer addresses individual users, the 
security of the enterprise’s IT systems, networks, and data, as well as any potential 
for misuse, will depend on each individual user. 


Employer Liability 

An area of criminal and civil law still in flux is the question of the due diligence 
required of an employer for Internet postings by employees using the employer’s sys¬ 
tems. When a tort arises because of actions of an employee, the courts have generally 
assessed whether the employee was acting in the capacity of an employee or (perhaps 
illicitly) on his or her own. The Internet has provided an opportunity for such tortious 
acts as slander, libel, harassment, cyber bullying, defamation of character, unauthor¬ 
ized access to or release of confidential information, copyright violations, and so on. 
Whether the employer could be held liable for illicit employee behavior online or 
not, the risk of criminal or civil charges alone has motivated some firms and agencies 
to step up monitoring of employees. 6 Clearly, the “deep pockets” of the employer 
(and perhaps an insurance company) are greater than that of the offending employee. 
What if the employer has ignored blatant evidence of online misbehavior? 


Copyrighted material 



Implications for the Enterprise ■ 63 


prevent viruses from bringing down computers vital to production. The question 
with which most employers struggle is what kind of monitoring is appropriate and 
cost-effective. Further, what will be done with employees or other authorized users 
(perhaps including vendors, partners, and customers) who violate the AUP? 

Americans’ acute sense of privacy and desire to be left alone by authority 
must be considered in any discussion of vetting, monitoring, and accountability. 
Because the sociological aspects of Internet use are progressing more rapidly than 
the law, policy, and established business practice can adapt, every employer must 
think carefully about not only what security measures to employ, but also what to 
do with information demonstrating the culpability of an authorized user. Simply 
because an act is against the rules is not necessarily a reason to take draconian 
measures, yet failure to address bad behavior is a recipe for further, more damaging 
delinquency. Sometimes, group behaviors online defeat the impulse to punish one 
person’s misdeeds because the employer cannot afford to fire the entire department. 
For example, a large employer found that a group of technicians were all enjoying 
Internet porn sites during the workday but could not afford to fire the whole group. 
Further, the employer may not make the essential connection between the initial 
assessment of a new employee’s proclivity to misbehave online in the context of the 
monitoring and controls that are routinely exercised in the enterprise. In any case, 
an employer needs to analyze security risks and countermeasures as they relate to 
any potential rogue user or group. 

In the social contract that has evolved since automation became so much a part of 
our lives, new philosophical issues have arisen. 7 Can an enterprise survive and succeed 
if its people, systems, networks, and data are constantly at risk because of individual 
users’ misbehavior? Will the best-available workers wish to work in a place where 
ubiquitous surveillance is a constant in enterprise systems and physical space? Can an 
employer in the information age find the right mix of humanity and authority for the 
workplace? Cynics may point out that, in the past few years, more Americans have 
been laid off, downsized, and fired than in many previous decades. Shedding work¬ 
ers, especially in the recession under way at this writing, is merely a way for firms and 
agencies to survive the lack of sufficient income and the overgrown structure that so 
many enterprises took on. One could ask whether IT systems monitoring is as big an 
issue when keeping the job at all is a struggle, even for the best workers. 

The social compact between employer and wired worker should have the follow¬ 
ing foundational elements: 

■ Enterprise systems, networks, and data confidentiality, integrity, accessibility, 
and security depend on each and every authorized user. 

■ Users should expect, and be notified, that all computer systems are monitored. 

■ There are limits to employers’ ability to monitor and enforce all AUP rules. 

■ When an authorized user is documented abusing AUP rules, discipline will result. 


Copyrighted material 



64 ■ Cybervetting 


When online misbehavior is involved, both the employer and the employee 
realize that verification and attribution can be issues. Therefore, the following 
principles apply: (1) The employee will always be a party to considering the facts 
involved in misbehavior (usually in the form of an interview), and (2) employees 
will be held accountable for their behavior. These principles, coupled with those 
enumerated, are more difficult to apply than it would appear (at least my experi¬ 
ence). Often, employers decline to take meaningful action against an employee 
found to violate the AUP or to commit an illicit act. This is often because, however 
privately the case is handled, employers fear adverse reactions from other employees 
and fear lawsuits from those discharged, suspended, or sanctioned for misbehavior. 
“A good talking to” is often the solution, with an attempt to extract a promise that 
“I wont do it again.” This raises a question about the nature and effectiveness of the 
accountability an employer demands. 

At this writing, achieving precision in attribution for online misbehavior often 
depends on expensive and challenging enterprise computer forensics that appear to 
be overkill in the average case of misbehavior. In some business networks, it is rea¬ 
sonable to expect that someday, real-time forensic collection, analysis, and enforce¬ 
ment could literally prevent user error and malicious individuals from violating 
enterprise AUP rules. If “pop-ups” remind users of the limits of their authorized 
use, that can be a good thing. However, for most employers today, there is a reliance 
on the individual user to know and abide by the rules. Such reliance must include 
user accountability, or the AUP has no impact. Defining user accountability is an 
art akin to composing the enterprises AUP. Among the key attributes of a success¬ 
ful user accountability policy are the following: 

■ Consistently applying rules that are provided to, discussed with, and known 
to all 

■ Supporting integrity as a core requirement for success in the workplace 

■ Relating the accountability required of all employees to success factors of the 
enterprise (such as teamwork to enable market-leading innovation, protection 
of intellectual property (IP), discretion, exceeding customer expectations, 
and maintaining a professional reputation) 

■ Making every authorized insider a conscious player in enterprise security, 
for example: 

— Reminders in log-on screens and shared data folders of data protection rules 

- Security updates with real-life examples 

- Required workstation scanning and authentication prior to enterprise 
connection 

— Adherence to security rules included in performance evaluations 

■ Interviewing individuals involved in security inquiries, whenever possible, as 
a normal step in final resolution 


Copyrighted material 



Implications for the Enterprise ■ 65 


The Evolving Personnel Security Model 

In the early 1990s, when the Internet was just starting to take off as a massively 
scaled platform for networking, security strategies for government and business 
were rethought to 

1. Incorporate risk management (rather than risk avoidance) 

2. Provide critical infrastructure protection (to mitigate against failure of 
vital resources) 

3. Practice risk assessment (to allow comprehensive review of threats, vulner¬ 
abilities, and protection plans) 

4. Add practice security in depth (i.e., a layered series of measures designed to 
help prevent, slow, detect, and mitigate any malicious attack) 

At the same time, development of privacy protections matured, with one 
approach, common in Europe, Canada, and Asia, centered on a strong regime with 
sanctions for privacy violations, requiring an “opt in” for personal data sharing, 
and a second approach, in the United States, centering on an “opt-out” choice to 
protect privacy. 8 After September 11, 2001, new impetus impelled government and 
industry to adopt stronger critical infrastructure protections, public-private part¬ 
nerships, proactive measures to prevent terrorist acts, and even more intensive risk 
assessments. The net result omitted the improvement needed at this time in history 
in the most critical element of security: bringing personnel security up to date, 
to address the insider threat and networked information systems as part of work¬ 
ers’ lives. 9 Managing the risk from insiders (employees, contractors, vendors, etc.) 
means achieving the proper balance of oversight and worker autonomy. 

The American worker historically has bridled at intense scrutiny. Close supervi¬ 
sion is unwelcome. Depending on the nature of the workplace, tasks, teamwork, 
and review of results, it may behoove an employer to allow minor violations of 
security rules to promote job satisfaction and possibly productivity. On the oppo¬ 
site side of the coin, employers must judge the extent to which minor security lapses 
lead to larger ones and inadvertent disclosures of sensitive data lead to deliberate 
theft of IP. It is people, not information systems, who are responsible for protecting 
the IP that is the lifeblood of today’s businesses and government agencies. 10 

In automating the enterprise, executives have made their business processes 
considerably more efficient, including the communication, collection, analysis, 
storage, retrieval, and application of information resources. For trusted IT systems 
users, these capabilities can create the means to exploit an employer’s IP for their 
own purposes. Digital rights management, access controls, systems logging, and 
monitoring and blocking of prohibited activities have been introduced. Some IT 
systems have elaborate control regimes. Where the value, vulnerability, and usage 


Copyrighted material 



66 ■ Cybervetting 


of IP dictate, employers are beginning to invest more resources in IT systems secu¬ 
rity and information security in general. Yet, where every user can become a serious 
threat, a personnel security challenge remains. 

Tie history of espionage—both national and corporate—is replete with exam¬ 
ples of individuals who entered the enterprise in all respects innocent, as well as a 
select few who signed up with the intent of betraying their employer and, in some 
cases, their country. Today’s sociological trends are unfortunately leading to more, 
not less espionage. 11 Examples of those trends, which interact to raise the specter of 
increased spying, include the following: 

■ Technology allows easy, undetected search, retrieval, and storage of propri¬ 
etary data. 

■ Expanded global gray and black markets for protected information exist. 

■ Internationalization of science, technology, commerce, networking, and 
travel place more insiders in contact with peers abroad who are in the market 
for trade secrets. 

■ Internet connectivity allows easy, anonymous sale and transfer of large data sets. 

■ More people are vulnerable to severe financial stress, a prime motive for espionage. 

■ Gambling, drugs, alcohol, and other expensive vices contribute to financial 
stress and impulsive illicit acts. 

■ Employer-employee dynamics today often do not include mutual loyalty and 
a sense of obligation and respect, and adverse actions, including layoffs, incite 
acts of revenge by disgruntled employees. 

■ Ethnic, ideological, and global conflicts and population mixtures are chang¬ 
ing, with multiple philosophies motivating mobile actors to commit espio¬ 
nage for what they believe are justifiable reasons. 

Government agencies’ and high-tech firms’ background investigations are 
aimed at preventing the hiring and clearance of persons whose prior behavior proved 
that they were untrustworthy. Information age employers have not all confronted 
the dual challenges of initial clearance and reinvestigation (i.e., verification that the 
employee still qualifies for a clearance). To establish a candidate’s trustworthiness 
for initial hiring, employers need to consider several factors currently ignored by 
the vast majority of enterprises, including an applicant’s history of 

■ Computer systems uses 

■ Internet uses, including social, game, and chat sites 

■ Penalties for computer abuse (e.g., Internet service provider and employer 
sanctions) 

■ Violations of AUPs of employers, schools, or other hosts 

■ Violations of copyright or other proprietary information use restrictions (e.g., 
software, films, video, music, IP) 


Copyrighted material 



Implications for the Enterprise ■ 67 


■ Cracking, malware creation or use, and other malicious code experiences 

■ Anonymous Internet activities and avoidance of IT systems controls 

Admitting prior misbehavior of some types cited may not be sufficient reason 
to deny employment to a candidate. As with adjudication of other types of deroga¬ 
tory background investigative results, the employer should consider the serious¬ 
ness, dates, frequency, repetition, likelihood of recurrence, and willingness to avoid 
future misbehavior of the same type. Today’s employer depends on IT systems and 
knows (or should know) about the damage that only one malicious insider can 
do. Therefore, employers should upgrade their hiring processes to include prior 
IT systems and Internet use in evaluations and investigations. Most employers 
are unable to answer the questions about the orientation and training needed by 
new IT systems users, especially those relating to security. For the new employee 
who is immediately granted IT systems access, the level of employer risk assumed 
is proportional to the proclivity to misuse systems, networks, and data and the 
employers information assurance effort. Unless the individual insider is evaluated 
for trustworthiness with access to IT systems, the employer could be said to be 
negligent in IT security practice. 

Beyond hiring, the lessons of insider crime suggest that there is always a danger 
of 'good employees going bad.” Mitigating this risk is essential but difficult, dhe 
individuals online behavior should be reevaluated periodically, and perhaps ran¬ 
domly, in much the same way as employers have required random and presched¬ 
uled drug testing. One potentially successful strategy is continuous monitoring 
of insider actions to prevent, detect, and mitigate IT system abuse. Another is to 
conduct follow-up vetting. 

Because computer misuse at home may have an impact on an employers sys¬ 
tems, data, and reputation (among other things), checking employees’ recent online 
activities (i.e., those that are public) can help find the few insiders who pose a 
threat to the employer. The employer may discover behavior of concern that can be 
addressed soon enough to deter the insider from acts that are more damaging. If 
serious wrongdoing is uncovered, it is better to address such problems sooner rather 
than later. 

Examples of the insider as traitor include the following: 

Robert Hanssen pled guilty to espionage against his employer, the Federal Bureau 
of Investigation (FBI), and against other agencies of the intelligence community; 
he conducted this espionage over a period of more than 20 years. Hanssen (a 
hacker who became a cracker) was adept at programming computers and, over 
the years, exploited his knowledge of FBI systems to provide the Russian intel¬ 
ligence services with voluminous, highly damaging data. His betrayal contributed 
to the deaths of 10 or more sources of US intelligence, who risked their lives as 
agents in place, and his disclosures led to the compromise of top-secret US col¬ 
lection systems worth billions of dollars. 12 As with all highly damaging spies, the 


Copyrighted material 



68 ■ Cybervetting 


Hanssen case led to personnel security and counterintelligence reforms designed 
to help prevent such betrayal and to discover moles. One key lesson is that com¬ 
puters helped Hanssen to wreak severe damage on US national security in much 
greater proportion than would have occurred without automation. A corollary is 
that monitoring and security assessment of the computer systems Hanssen used 
for his spying could have prevented or mitigated at least some of the damage. Press 
reports suggested that not only the FBI but also other intelligence community 
agencies have strengthened their systems to prevent similar spying in the future. 13 


Former US Army intelligence analyst Pfc. Bradley Manning, 25 (now self- 
described as “Chelsea Manning”), was convicted on 20 counts in a court martial 
July 30, 2013, of leaking voluminous, highly classified materials, including video 
and 700,000 Iraq and Afghanistan war-related documents, to WikiLeaks, a web¬ 
site devoted to publishing information deemed to expose misbehavior by govern¬ 
ments and businesses. Manning was acquitted on a charge of aiding the enemy. 
On August 21, 2013, he was sentenced to 35 years of confinement, reduction to the 
lowest enlisted rank, dishonorably discharged, and forfeiture of all pay and allow¬ 
ances. Undoubtedly, Mannings ability to accumulate from government com¬ 
puter systems, undetected, digital documents and videos that he believed exposed 
US military excesses in war, and to convey them to others he knew would most 
likely publish them, enabled his betrayal. Manning, who may suffer from various 
types of maladjustment, apologized that he had made a misguided attempt to 
change government policy. Because of the content of the leaked documents, which 
included diplomatic cables, grave damage was cited by US government officials. 14 


In June 2013, Edward Snowden, an ex-CIA employee and cleared computer 
administrator for a National Security Agency (NSA) contractor, declared him¬ 
self 13 the leaker of highly classified documents to the Guardian , the Washington 
Post , the New York Times , and several other global press outlets. He fled to Hong 
Kong from his Hawaiian home and subsequently to Moscow, where he sought 
asylum. Press reports indicated that Snowden used readily available computer 
communications and encryption tools to convey voluminous and highly sensitive 
documents about US intelligence activities to reporters. 16 The leaks inspired public 
and private debates over NSA’s ability to amass information about virtually anyone 
and created diplomatic tension over allegations of US spying on Americans and 
allies, as well as terrorists and spies. At this writing, reviews of US intelligence 
methods and policies continue. Snowden claimed that he did not bring his cache 
of sensitive data to Russia, 17 but it appeared from press reports that he continued 
to leak highly classified documents. The press speculated that he possibly stored 
the stolen documents in a secret place “in the cloud,” as a “doomsday” measure, to 
allow exposure after his arrest or demise. Because the documents appeared to have 
revealed some of the most sensitive and detailed sources and methods of US intelli¬ 
gence, it is likely that among results will be loss of capabilities, expensive revisions 
to methodologies, and extensive reorganization at NSA and elsewhere in the US 
intelligence community. Contemporary incidents of violence in the workplace, 
including shootings by cleared individuals at US military bases, have provoked 
reviews of clearance and reinvestigation procedures along with the Manning and 
Snowden cases. 


Copyrighted material 



Implications for the Enterprise ■ 69 


To be successful, todays personnel security model must incorporate an evalu¬ 
ation of authorized users’ past computer system abuse, if any, and include peri¬ 
odic reinvestigations and monitoring to verify that insiders continue to protect the 
proprietary systems and data with which they are entrusted. If the IP protected is 
highly valuable or priceless, “trust but verify” must be the mantra. 


Notes 

1. Rosen, Jeffrey, The Web Means the End of Forgetting, New York Times Magazine , 
July 25, 2010, http://www.nytimes.com/2010/07/25/magazine/25privacyt2. (accessed 
July 25, 2010); quotes recent Microsoft survey saying 75% of US recruiters and human 
resource professionals report that their companies require them to do online research 
about candidates, and many use a range of sites when scrutinizing applicants, includ¬ 
ing search engines, social networking sites, photo- and video-sharing sites, personal 
websites and blogs, Twitter, and online gaming sites. Seventy percent of US recruiters 
report that they have rejected candidates because of information found online, such as 
photos and discussion board conversations and membership in controversial groups. 

2. Jodka, Sara H., The Dos and Donts of Conducting a Legal, Yet Helpful, Social Media 
Background Screen, Law Practice Today (American Bar Association monthly magazine), 
September 2013, http://www.americanbar.org/content/newsletter/publications/law_ 
practice_today_home/lpt-archives/septemberl 3/the-dos-and-donts-of-conducting-a- 
legal-yet-helpful-social-media-background-screen.html (accessed November 26, 2013). 

3. Jodka, The Dos and Donts; and Ody, Elizabeth, Keeping Your Profile Clean, 
Washington Post , May 18, 2008: “A recent survey by ExecuNet, a networking orga¬ 
nization for business leaders, found that 83% of executives and corporate recruit¬ 
ers research job candidates online, and 43% have eliminated a candidate based on 
search results.” Bigam, Kate, Employers May Be Eyeing Students Facebook Accounts, 
KentWired.com, 2006, related an October 2006 report by CareerBuilder.com saying 
that 26% of employers searched candidates online, including 1 in 10 hiring manag¬ 
ers, and 63% of employers chose not to hire based on discoveries, key facets of which 
included lying about job qualifications, poor communications skills, and engaging in 
criminal behavior. Peacock, Louisa, Social Networking Sites Used to Check Out Job 
Applicants, March 17, 2009, http://www.personneltoday.com/articles/article.aspxPlia 
rticleid=49844&printerfriendly=true, said 25% of employers worldwide check social 
networking sites such as Facebook and MySpace for information about job candi¬ 
dates. A 2009 study by Development Dimension International (DDI) found 52% of 
those that did look up prospective employee profiles used the information in making 
hiring decisions. Hechinger, John, College Applicants Beware: Your Facebook Page 
Is Showing, Wall Street Journal online , September 18, 2008, http://online.wsj.com/ 
article/SB 122170459104l51023.html. Ten percent of admissions officers in a survey 
of 500 top colleges admitted checking social networking sites to evaluate applicants, 
and 38% said that what they saw “negatively affected” their views of the applicant. 

4. American Management Association, Electronic Monitoring and Surveillance Survey, 
2007, http://press.amanet.org/press-releases/1 77/2007-electronicmonitoring- 
surveillance-survey/. For an example of monitoring file use and protecting data at 
work, see Verdasys, http://www.verdasys.com/ (a former client of mine). 


Copyrighted material 



70 ■ Cybervetting 


5. Madden, Mary, and Jones, Sydney, Networked Workers, Pew Internet and American 
Life Project, September 24, 2008, http://www.pewinternet.Org/-/media/Files/ 
Reports/2008/PIP_Networked_Workers_FINAL.pdf (accessed November 26, 2013). 

6. Electronic Monitoring Survey (Note 4). 

7. Hall, George M., The Age of Automation (New York: Praeger, 1995). 

8. Bouckaert, Jan, and Degryse, Hans, Opt In versus Opt Out: A Free-Entry Analysis 
of Privacy Policies, December 2005, http://weis2006.econinfosec.org/docs/34.pdf 
(accessed June 1, 2010). 

9. Shaw, Eric, Ruby, Keven G., and Post, Jerrold M., The Insider Threat to Information 
Systems, Political Psychology Associates, 1999, http://www.pol-psych.com/sab.pdf 
(accessed August 9, 2010). 

10. Computer Science and Telecommunications Board, National Research Council, 
The Digital Dilemma y Intellectual Property in the Information Age (Washington, DC: 
National Academies Press, 2000). 

11. Fischer, Lynn F., Espionage: Why Does It Happen (Richmond, VA: DoD Security 
Institute, October 2000); Kramer, L., Heuer, R. J., Jr., and Crawford, K. S., 
Technological Social arid Economic Trends that Are Increasing US Vulnerability to Insider 
Espionage , TR 05-10 May 2005, http://www.dhra.mil/perserec/reports/tr05-10.pdf 
(accessed November 27, 2013). 

12. Wise, David, Spy, Tl?e Inside Story of How the FBIs Robert Hanssen Betrayed America 
(New York: Random House, 2002). 

13. Rowan, J. Patrick, deputy assistant attorney general, U.S. Department of Justice, 
Enforcement of Federal Espionage Laws, Statement before the Subcommittee on 
Crime, Terrorism, and Homeland Security, Committee on the Judiciary, US House 
of Representatives, January 29, 2008. Herbig, Katherine L., and Wiskoff, Martin F., 
Espionage against the United States by American Citizens 1947—2001 , Technical Report 
02-5 (Defense Personnel Security Research Center [PERSEREC], Monterey, CA, 
July 2002). 

14. ReportsofUS Department of Defense, including http://www.defense.gov/news/news- 
article.aspx?id=l 20556 and http://www.defense.gov/news/newsarticle.aspx?id=l 20655 
(accessed November 27, 2013). 

15. Leonnig, C. D., Johnson, J., and Fisher, M., Tracking Edward Snowden, from a 
Maryland Classroom to a Hong Kong Hotel, Washington Post , June 15, 2013, http:// 
articles.washingtonpost.com/2013-06-1 5/world/39988583_l_anime-hong-kong- 
world (accessed November 5, 2013). 

16. Maas, Peter, How Laura Poitras Helped Snowden Spill His Secrets, New York Times , 
August 13, 2013, http://www.nytimes.com/ 2 Oi 3 /O 8 /l 8 /magazine/laura-poitras- 
snowden.html? (accessed November 5, 2013). 

17. NPR reports, http://www.npr.org/search/index.php?searchinput=%22edward+snowden 
%22 (accessed November 5, 2013). 


Copyrighted material 



LEGAL AND 
POLICY CONTEXT 



A good illustration of the issues involved in using the Internet for intelligence is the 
concern that the search engine companies and other Web service providers collect 
information from users for their own purposes, primarily including marketing . 1 
The intentions driving search engine providers such as Google, Bing, Yahoo, and 
so on are commercial: Advertisers are their first priority because they pay the bills. 
Searchers, consumers, browsers—users—are not as high a priority. That is not to 
say that Google et al. do not provide valuable and effective search machines. 

As discussed here, in the United States, where opt-out policies are applied, the 
user must ask that personally identifying information not be collected, opting out 
by request or by settings on a computer application. Even then, Internet service 
providers (ISPs), search engines, and websites collect and utilize information about 
Internet behaviors for business purposes, most frequently depositing cookies or 
small program fragments in the user s browser memory and logging user activities 
in their databases. That is why a product from a retailer you have visited online will 
pop up in an ad when you use your browser—the cookies tell a tale on the user. 
In many respects, the great benefits of the Internet as an information provider are 
supported by advertising and market measurement that depend on data mining of 
online behaviors and enable “free” services. However, there is well-placed concern 
about whether businesses will regulate themselves when it comes to self-interest 
over the privacy of the individual. As the US Congress and Americans contemplate 
the appropriate limits that should be imposed on Internet sites to ensure privacy 
protection, those contemplating how to exploit Internet information must confront 
similar issues. Meanwhile, in Europe, strong privacy protections apply to users’ 
data, and users must provide informed consent before a government agency or pri¬ 
vate company can make use of a person’s identifying data. 


Copyrighted material 


72 ■ Legal and Policy Context 


Network and Internet service providers and commercial websites collect 
detailed data from users for many valid reasons, including ensuring continuity, 
security, and quality of service. Most websites generally express their policies in 
statements about privacy and authorized use that are made available on the site. 
By tradition, links are often found at the bottom of the home page. The place of 
the ISP and some commercial websites in the spectrum of network services allows 
these businesses exceptions to laws forbidding interception of electronic communi¬ 
cations and collection and retention of customer-identifiable data—for the limited 
purposes of quality assurance and service continuity. Many online service provid¬ 
ers declare that they do not retain information specifically identifying a persons 
Internet uses, claiming instead only to aggregate anonymous data. However, it is 
technically feasible to trace activities online. Many Internet businesses were initi¬ 
ated for marketing purposes and rely on their ability to collect data on large groups 
of current and prospective customers to carry out their business-to-business activi¬ 
ties. Therefore, it behooves customers to understand the privacy and use policies of 
ISPs, and to make informed decisions about what website services to use, based on 
the customer’s comfort level in sharing private data with service providers . 2 Further, 
some skepticism is appropriate about the possible gap between the claims made 
about protecting users’ privacy and actual practice. 

To be fair, consumers’ identifying and transaction information is collected by 
brick-and-mortar businesses, utilities, government agencies, academic institutions, 
and organizations with whom accounts are established. The databases of such insti¬ 
tutions are often sold or provided to data aggregators and marketing firms, enabling 
such firms to conduct other businesses, among which are credit bureau services; 
law enforcement and private investigative support; verification for identity, credit 
cards, bank checks, employment, rentals, financing, and other purposes. The legal 
“owner” of the data on a particular consumer or on all the customers in a database 
is considered to be the business or agency itself. In America, data aggregators con¬ 
duct a thriving business, regulated by the Federal Trade Commission and various 
federal and state statutes. Because of errors in the data and mistakes in using the 
data for decisions such as issuing credit, employment, and conducting investiga¬ 
tions, there is increasing pressure to regulate the collection, retention, and use of 
personally identifying information. In short, excesses by those using consumer data 
have prompted crackdowns, and Internet businesses are no exception. 

Google is an interesting case in point. As of this writing: 

Google admits to collecting 3 information about the device(s) used to contact 
Google, what you do on Google, where you were (if available through Global 
Positioning Systems), applications from Google, local storage, and cookies about 
your interactions with Google and its clients. Google has many clients, some of 
whom users find with the Google search engine. 

Google was fined 4 for violating peoples privacy during its Street View map¬ 
ping project, when it scooped up passwords, email and other personal information 


Copyrighted material 



Legal and Policy Context ■ 73 


from unsuspecting computer users. In agreeing to settle a case brought by 38 states 
involving the project, the search company for the first time is required to aggres¬ 
sively police its own employees on privacy issues and to explicitly tell the public 
how to avoid such privacy violations. 

The settlement also included a fine of $7 million. Privacy advocates and Google 
critics saw the agreement as a breakthrough for a company they claim often vio¬ 
lates privacy. 

Complaints about Google have led to multiple enforcement actions in recent 
years, including European agencies’ investigations into the mapping project’s col¬ 
lection of personal data of private computer users. 


A related concern is the strategy of an Internet information collector: Will the 
collector use a proxy to “anonymize” searching so that it is not possible to know 
who is asking about whom? Are privacy options of the search engines and browsers 
used effectively? 


Notes 

1. Google, Inside Search: How Search Works, http://www.google.com/insidesearch/ 
howsearchworks/ (accessed November 29, 2013); Tsukayama, Hayley, Google Begins 
Collecting Users Data Across Its Services, Washingtoji Post , March 1, 2012, http:// 
art icles.washingtonpost.com/201 2-03-01 /b usi ness/3 5 4472 83_l_alma-wh itten- 
google-users-google-history (accessed November 29, 2013). 

2. Schlein, Alan M., Find It Online , the Complete Guide to Online Research , 2nd edition 
(Tempe, AZ: Facts on Demand Press, 2001). 

3. Del Castillo, Michael, Six Kinds of Your Information Google Openly Admits to 
Collecting, August 15, 2013, http://upstart.bizjournals.com/news/technology/2013/ 
08/1 5/6-data-categories-google-collects.html?page=all (accessed December 4, 2013). 

4. Streitfeld, David, Google Concedes that Drive-By Prying Violated Privacy, New 
York Times , March 12, 2013, http://www.nytimes.com/2013/03/l3/technology/ 
google-pays-fine-over-street-view-privacy-breach.html?_r=0 (accessed December 4, 

2013). 


Copyrighted material 



Copyrighted material 



Chapter 6 


Liability, Privacy, and 
Management Issues 


Liability for Service Providers 

The wide varieties of activities on the Internet spawned by creative businesses offer 
many types of social, recreational, hobby, communications, and business functions 
that work well and scale globally. In the early days of the Internet, it was possible 
to categorize service providers by the types of online activities offered, but soon 
“one-stop shopping” firms like America Online (AOL) created services with many 
types of interactions. Many of those online still use services like AOL, Microsoft’s 
Live, Google+, Yahoo!, and major telecommunications firms’ portals for a wide 
variety of functions, such as Internet access, e-mail, social networking, news, voice- 
over-IP (Internet protocol) telephony, chat, instant messaging, searching, and oth¬ 
ers. Social networking sites have become major portals, as have large online retailers 
like Amazon. 

Government agencies depend on the Internet to convey information and ser¬ 
vices to the public and registered users of all kinds. Mobile devices increasingly pro¬ 
vide a widening variety of online activities and applications. Today, the role of the 
commercial Internet portal in connecting users is to provide multiple, bundled ser¬ 
vices, often with applications allowing increasingly integrated and interconnected 
options. Examples include geolocation; finding nearby sites and people; texting a 
circle of “friends,” often with photos and videos; “face time” video telephone calls; 
interlacing multiple e-mail, instant messaging, and “tweet” contact lists and post¬ 
ings; evaluating retailers and business services; meetings; and updating agendas. 
Storage of large files such as video, photographs, music, and books is provided free 

75 


Copyrighted material 


76 ■ Cybervetting 


or at low cost “in the cloud.” As a facilitator of the human interactions enabled by 
the multifaceted network, Internet service providers (ISPs), hosts, telecommunica¬ 
tions companies, and interconnected service providers must understand the market 
forces, predominant personal views, laws, and ethical limitations of the activities 
riding their wavelengths. 

Based on historical profiles of crime patterns within communities, it is predict¬ 
able that a variety of criminals will take advantage of networked services to carry 
out their acts in a more efficient, anonymous, and (for them) pleasurable manner. 
Already, major telecommunications providers and ISPs have been forced to deal 
with many warrants, subpoenas, court orders, and requests requiring production 
of customer records, legal intercepts, and service details, based on serious criminal 
activities. No self-respecting drug dealer is without a cellular connection, whether 
on a “throwaway” cell phone or a Blackberry, iPhone, or Android device allowing 
multiple connections and messaging options. A classic case in a northeastern state 
involved a clue found at a murder crime scene, an apparent mob “hit,” which was 
a long-distance calling card from a telephone network that was traced to a man 
from Florida through his credit card. The man claimed he was in Florida at the 
time of the murder, but his cell phone records identified precisely where he was and 
with whom he discussed the murder he committed. He is now serving time for the 
murder. The records of the cell phone location and calls were vital to the investiga¬ 
tion, but even more important was the capability of identifying the calling card 
customer through the vendor’s credit card sales records. 

Telecommunications networks, ISPs, and website hosts generally take the 
position that they are not responsible for their customers’ activities because they 
are providing a virtual venue through which people can carry on legal behaviors. 
Unfortunately, services like eBay and craigslist have discovered that the sale of sto¬ 
len, contraband, and misappropriated items is sufficiently rampant that they have 
felt compelled to field a first-class team of former law enforcement and prosecuto¬ 
rial personnel to prevent, detect, and alert law enforcement to, otherwise respond 
to, and process data concerning illegal activities. Although the illegal activities may 
be only a small part of the service provided, it is significant to those victimized, 
such as an online purchase for which a customer received no goods. Not all Internet 
firms take the initiative or incur the expense that eBay has to ensure the integrity 
of a service that is open to virtually everyone. However, large Internet businesses 
all are compelled to field teams to answer court warrants and subpoenas issued for 
records relating to online criminal activities. 

Criminal and civil courts have so far agreed with the large majority of ISPs, 
websites, and others online that they are not responsible for the criminal behaviors 
of their customers, despite pressure brought on web service providers to prevent 
unlawful activities online . 1 In some instances, courts have recognized the autho¬ 
rized use policy (AUP) as in effect the governing rule on a website and held the cus¬ 
tomer who violates the AUP (and therefore the site’s terms of service) to be engaged 
in illicit activities by definition. In various communities, counties, and states, there 


Copyrighted material 



Liability , Privacy , and Management Issues ■ 77 


have been occasional cries to shut down or criminally sanction websites that have 
become a venue where illegal acts take place, including such activities as prostitu¬ 
tion, fencing, and drug sales, but in general, it is understood that websites operating 
properly still may be used in crimes. 2 

Among the special class of services online are those belonging to universities, 
colleges, other educational institutions, and some nonprofits. Many educational 
and nonprofit sites have a large amount of storage, a variety of applications, and 
high bandwidth—just what a cybercriminal may be looking for. Educational sites 
also operate in a wide-open environment. For example, at the start of each semes¬ 
ter, hundreds or thousands of students may “plug in” to the college information 
technology (IT) network. The educational system may be required for research, 
study, communications with teachers, class attendance, test taking, cafeteria access, 
campus access, bill paying, and a variety of other student, faculty, and staffservices. 
Often, the university e-mail system also accommodates alumni, a special target of 
solicitations for donations and support for the school. The size and openness of the 
educational IT infrastructure make it a prime target for cybercriminals, spammers, 
and marketers. As a consequence, many educational sites have found it necessary to 
adopt robust and inventive security measures that can guarantee system functions, 
integrity, and continuity, while keeping out malicious code, inadvertent infections, 
and deliberate attempts at misuse (e.g., changing grades, cheating on tests and 
papers, bulk spam). 

These examples are not limited to ISPs, other network service providers, and 
educational institutions. Unfortunately, many corporations have found that their 
employees have placed large quantities of contraband and illicit materials in shared 
storage (e.g., pirated MP3 music files, videos, and software in violation of copy¬ 
rights and child pornography laws). For example, an employee of a high-bandwidth 
company was arrested for running his own business on the side, selling child por¬ 
nography from his personal website that he had installed on company servers. Like 
the service providers, businesses are potentially liable for the content of their IT 
systems and must face the fact that at least a small percentage of their users will 
misuse their systems. The larger the systems, the greater the likelihood that illicit 
content and unauthorized behaviors are taking place on them. System owners must 
decide who, in effect, will be the sheriff in town. In all the instances discussed, it is 
the people who decide to misbehave on computer systems to which they are granted 
access that cause the risk to service providers. Like viruses, illicit acts online should 
be sought out, discovered, and dealt with by Internet-connected hosts, if only for 
self-preservation and reputation protection. 


Liability for Employers 

Employers in the private sector are governed by a series of constitutional, federal, 
state, county, and local statutes and legal standards. 3 This is not the appropriate 


Copyrighted material 



78 ■ Cybervetting 


place to itemize them. However, a key question that must be considered in all legal 
and policy discussions of Internet searching that applies to persons (individuals and 
legal persons) is the legal standards that must be applied. Therefore, it is necessary 
to focus on how one can conduct Internet and open-source information collection 
without incurring legal liability for violating a statute or standard. 

Employers must contemplate the laws that apply, whether they are conducting 
an internal criminal investigation, vetting potential employees, collecting business/ 
competitive intelligence, assessing market competition, doing due diligence, man¬ 
aging brand protection, or assessing security risks and vulnerabilities, to name some 
of the main reasons for enterprise intelligence functions. This discussion delib¬ 
erately omits market studies because the rules governing Internet social research 
(a very different animal from intelligence collection) should be applied for mar¬ 
ket research. However, some of the discussion in other chapters bears directly on 
such operations. 

Two key areas of concern are applicant background investigations and pro¬ 
tection of people, assets, and information (i.e., corporate security). Although an 
employer has legal obligations that must be met in assessing candidates for employ¬ 
ment, the obligation to provide a safe and secure workplace is also vital. When an 
employer discriminates in hiring under Title VII of the Civil Rights Act of 1964, 
liability is created, and lawsuits will probably follow. When an employer fails to 
anticipate the likelihood of a threat such as an insider victimizing fellow employees, 
customers, or others, liability may be incurred. It is only a matter of time before 
the legal theory that an employer should have known and acted on information 
published and readily available on the Internet finds its way into a courtroom, espe¬ 
cially if violence, crime, or serious loss occurs in or outside the workplace. Physical 
world negligence suits against employers asserting a standard of due care in hiring 
have succeeded, and it is likely that cyber-world torts will as well. 4 

The federal government, counties, states, and municipalities to varying degrees 
oversee the application of employment laws. The courts apply the laws for criminal 
and civil judgments. One aspect of the rapid advances in IT is the lag time between 
societal changes such as large-scale Internet use and the adaptation of the legal sys¬ 
tem to new realities. 5 For example, at a time when millions of Internet users illicitly 
download films, music, and software for personal use in violation of copyright laws, 
how can an employer judge how much illicit activity of this kind should preclude 
a person from employment? How many downloads are tolerable? Is it likely that 
people who misappropriate movies would also commit economic espionage? Can 
that likelihood be judged by the amount of past illicit downloading done? Business 
and government are, at this writing, just beginning to contemplate the metrics of 
adjudications in the Internet era. 

Avoiding serious liability will require employers to look carefully at the stan¬ 
dards they apply to vetting employees, both for hire and for continued employ¬ 
ment, promotion, or clearances. Fortunately, according to court cases reviewed to 
date, there is no requirement in the United States for an employer to take additional 


Copyrighted material 



Liability, Privacy, and Management Issues ■ 79 


steps to utilize any public information in background investigations, provided that 
the process includes notice, signed (informed) consent, and a verification process. 
Should an employer wish to include questions to candidates about their computer 
use and abuse and verification of their responses using Internet vetting, it would be 
prudent to include explicit prior notice about those topics in the process. Suggested 
methods appear in further discussion. At least 12 states, including Nevada and 
New Jersey, forbid employers from requiring candidates or employees to reveal 
social networking passwords or providing access to private postings. 6 Therefore, 
before asking a prospective or current employee to grant access to a private social 
networking account, an employer should know whether that is legal. At this writ¬ 
ing, it is not illegal or unethical to access or consider publicly available Internet 
information for employment purposes. 

Most application forms and the governments SF-86 form (among others) ask 
applicants to list the other names or aliases by which they are known. Because a 
large percentage of Internet users (at least 30%, based on studies by Pew and others) 
have multiple virtual identities online, it is important in the background investiga¬ 
tion process to collect them. Virtual identities include e-mail addresses, nicknames, 
“handles,” user names, and other pseudonyms used for Internet activities. Asking 
for these aliases does not exceed the current norm for forms used, but 4 years’ study 
has shown that few employers explicitly ask applicants to include virtual identities 
on the form. The SF-86, which is used for US government candidates for jobs with 
clearances, asks for both home and work e-mail addresses and for aliases. Recently 
added to the SF-86 are questions about prior misbehavior using computers. Yet, 
almost no agencies at this writing explicitly instruct candidates to include their 
Internet identities, which may have been used in such misbehavior. Some state stat¬ 
utes forbid an employer from requiring a candidate or employee to provide a user 
name, but it is common for user names and e-mail names to be identical. 

The discussion that follows is designed to help put Internet intelligence gather¬ 
ing in an appropriate legal context. However, statutory and case law are rapidly 
developing in this area of Internet law. 


Accountability for Employees 

Automation of the workplace and widespread evolution of social norms for com¬ 
puter use have dramatically changed the landscape in ways that enterprises may not 
have considered. Habits acquired in personal computer use may invade the busi¬ 
ness, and business topics are being included in off-hours blogging, social network¬ 
ing, and a variety of other Internet activities both desirable and undesirable from 
the employer s standpoint. In most workplaces, it is easy to acquire digital goods, 
including designs, customer lists, marketing plans, information about employ¬ 
ees, and other trade secrets and privacy-protected data. Espionage cases over the 
past 20 years in both government and industry have highlighted how much more 


Copyrighted material 



80 ■ Cybervetting 


damaging just one insider can be because of the volume, quality, and scope of the 
data stolen, particularly when IT systems are exploited. 8 

It must be acknowledged that most computers, networks, and data are 

■ Intrinsically not secure and perhaps not absolutely securable in the near term 

■ A gateway to most enterprises’ most sensitive and valuable data 

■ Accessed by employees as trusted users with little oversight 

■ Protected more strongly against outsiders than insiders 

■ A higher risk than most employers understand 

Recent experience demonstrated that most enterprises have attempted to 
strengthen their information security and have sought to improve protection 
through employee security awareness. Laudable though those efforts are, they may 
be inadequate for the task. Studies of insider crime have demonstrated since bibli¬ 
cal times that there is almost always an insider willing to commit serious crimes 
within any sizable enterprise. After years of frustration with inadequate metrics, 
questionable survey statistics, and corporate security experience as a practitioner, 
colleague, and consultant to business and government, my rule of thumb is that 
at least 6% of employees will commit a felony crime against their employer yearly. 
I regret having to report this, just as I regret having participated in the arrest of 
priests, nuns, and Federal Bureau of Investigation (FBI) agents. One only need look 
at the high crimes and misdemeanors of the nation s once-respected politicians, law 
enforcement officers, intelligence officials, clergy, business leaders, and nonprofit 
executives to demonstrate that there is no sacrosanct group of human beings in 
any workplace. Aspiring to greatness does not prevent crime in the ranks. So, the 
logical question for every enterprise is how to approach the virtual goods that are 
at the disposal of every authorized user through information systems. US military 
and intelligence agencies take the approach that all online activities involving clas¬ 
sified data and systems will be logged, monitored, and serious breaches prevented. 9 
Alas, even those systems with the strongest protections have been victimized by 
clever, malicious users, such as the FBIs Robert Hanssen and Edward Snowden of 
the National Security Agency (NSA) and Central Intelligence Agency (CIA). It is 
clear that it is the person, not the machine, that should be the focus of behavioral 
assessment because it is the person who can make a mistake or commit a crime. 

Twentieth-century personnel management can be characterized as evolving 
from the workplace cruelty of the Industrial Revolution to the civilized protections, 
led by unions, of the information age. Yet, there are those who would contend that 
there were more layoffs, outsourcing, and treatment of workers as commodities from 
1980 to 2010 than from 1950 to 1980. It was a period when the lifelong aspiration 
to work for just one employer (other than the government) came to a painful end. 
The trust and emotional attachment between employer and worker ended. You can 
hear it in the terms used for employees: human resources and human capital—just 
another form of currency. 


Copyrighted material 



Liability, Privacy, and Management Issues ■ 81 


Perhaps it sounds too strident to observe that an employer, viewed even in the 
press as likely to downsize or outsource, is apt to be looked on by employees with 
a wary eye. The employer, needing to keep key talent, may engage in strategies to 
use economic leverage to prevent the exodus of its brain trust. Employees, for their 
part, may collect as much data as they can from the workplace in anticipation that 
bringing the data with them will enhance their value in the next job. Several surveys 
suggested that this is actually happening frequently in the twenty-first century. 10 

Employee accountability in this context can be a sensitive topic, given the 
atmosphere described previously. However, the compact between the employer 
whose net worth is largely in data and the employee with access to that data must 
include a strong element of trust if the enterprise is to succeed. In most agencies and 
firms, a formula for success is holding each individual user accountable for actions 
taken, both offline and online. All trusted users should sign a confidentiality agree¬ 
ment. At log-on, workers should be reminded that, as a condition of access, their 
use of data and online activities are controlled by programs to prevent misuse, as 
well as to log events. This accountability should start before the applicant is hired, 
should be stressed during indoctrination and training, and continue with periodic 
audits, reinvestigations, monitoring, and enforcement of AUPs during employ¬ 
ment. Internet investigations are a natural part of preemployment screening and 
reinvestigations. Like the Internet, intranet behavior can be a prime indicator of 
danger for the enterprise when users violate the law, policies, and rules. Given the 
invaluable nature of information assets, today’s automated employer owes nothing 
less to stockholders, customers, and the employees themselves than vigilance and 
efficiency in protecting its information assets from malicious users. 


Notes 

1. Center for Democracy and Technology, http://webcache.googleusercontent.com/sea 
rch?q=cache:I4j3DH5q 178j:https://www.cdt.org/files/Intermediary-Liability-6p. 
doc+5£cd=9&hl=en&ct=clnk&:gl=us (accessed November 29, 2013). 

2. Krasne, Alexandra, What Is Web 2.0, Anyway? TechSoup , December location, 
2003, http://www.techsoup.org/learningcenter/webbuilding/archives/page9344.cfm 
(accessed June 1, 2010). Cybercrime information collected in law enforcement brief¬ 
ings of the International Association of Chiefs of Police ad hoc Computer Crime and 
Digital Evidence Committee (which I chaired 2009-2011). 

3. Nixon, W. Barry, and Kerr, Kim M., Background Screening and Investigations , Managing 
Risk from HR and Security Perspectives (New York: Elsevier, 2008). 

4. Lawson, Thomas C., Expert witness in several negligent hiring cases in California and 
Arizona, http://www.apscreenemploymentscreening.com/articles/case_samples.pdf 
(accessed May 25, 2010). 

5. Herritt, Henry H., Jr., dean, Chicago-Kent College of Law, The Internet Is Changing the 
Public International Legal System, Illinois Institute of Technology, 1999, http://www. 
kentlaw.edu/cyberlaw/perrittnetchg.html (accessed December 18, 2013); Depoorter, 


Copyrighted material 



82 ■ Cybervetting 


Ben, Technology and Uncertainty: The Shaping Effect on Copyright Law, U?tiversity 
of Pennsylvania Law Review , 157: 1831, 2009, https://www.law.upenn.edu/live/ 
files/78-depoorterl57upalrevl8312009pdf (accessed December 18, 2013); American 
Bar Association Journal , http://www.abajournal.com/ (accessed December 18, 2013); 
e-commerce law reports, http://www.e-comlaw.eom/e-commerce-law-reports/#!. 

6. National Conference of State Legislatures, http://www.ncsl.org/research/ 
telecommunications-and-information-technology/employer-access-to-social-media- 
passwords-2013.aspx (accessed December 18, 2013); DelDuca, M. V., Barrueco, 
A. L., and Dolinsky, K. A., New Jerseys New Social Media Privacy Law: Balancing 
Employee Rights and Employer Protections, Pepper Hamilton, September 16, 2013, 
http://www.mondaq.com/unitedstates/x/262784/employee+rights+labour+ relations/ 
New+Jerseys+New+Social+Media+Privacy+Law+Balancing+Employee+Rights+And+ 
Employer+Protections (accessed December 18, 2013). 

7. Questionnaire for National Security Positions, SF-86, http://www.opm.gov/forms/ 
pdf_fill/sf86.pdf (accessed May 26, 2010). 

8. Shaw, Eric D., Ruby, Keven G., and Post, Jerrold M. The Insider Threat to Information 
Systems, Political Psychology Associates, 1999, http://www.dm.usda.gov/ocpm/ 
Security%20Guide/Treason/Infosys.htm (accessed December 18, 2013); Kipp, Steven 
P., Espionage and the Insider, SANS Reading Room, https://www.sans.org/reading- 
room/whitepapers/basics/espionage-insider-426 (accessed December 18, 2013). 

9. For example, DOD Directive 5220.22-M, Chapter 8, Information Systems Security, 
Section 6, Protection Requirements, US Department of Defense, Washington, DC, 
February 2001. 

10. Moore, Andrew P., Cappelli, Dawn M., Caron, Thomas C., Shaw, Eric, and Trzeciak, 
Randall F., Insider Theft of Intellectual Property for Business Advantage: A Preliminary 
Model, Carnegie Mellon Software Engineering Institute and CERT, appearing in the 
First International Workshop on Managing Insider Security Threats (MIST 2009), 
Purdue University, West Lafayette, IN, June 15-19, 2009. 


Copyrighted material 



Chapter 7 

Laws 


Introduction 

This chapter contains brief reviews of the statutes that may assist those seeking 
guidance about the legal framework that applies to Internet intelligence and inves¬ 
tigations. For the most part, federal and state laws have not contained restrictions 
on the use of the Internet to collect information—especially public or published 
information—for use by investigators until recently, beginning about 2009—2010. 
State laws regarding social networking and privacy, federal and state laws regarding 
copyrights and intellectual property, and some cybercrime provisions are chang¬ 
ing, albeit much more slowly than the Internet and societal norms online. The 
summaries and views expressed here do not constitute legal opinions or advice, or 
an attempt to detail every law related to cybervetting, but are conveyed as com- 
monsense interpretations of the meaning of current laws and indications of the 
intent of Congress, legislatures, and the judiciary, even if the laws themselves do 
not address Internet investigations directly. Because people have differing views 
and strong opinions about their privacy rights, some of the interpretations that fol¬ 
low may be controversial. 


Constitutional Rights 

The US Constitution’s amendments 1 enshrine the following rights relevant to 
Internet searching: 


83 


Copyrighted material 


84 


■ Cybervetting 


■ First: Freedom of speech 

■ Fourth: Freedom from unreasonable search and seizure 

■ Fifth: Freedom from being forced to give witness against oneself or to be 
denied due process of law 

■ Sixth: Right of an accused to call witnesses and face an accuser in court 

None of these rights precludes Internet searching under the appropriate circum¬ 
stances. Litigation to date concerning constitutional rights has provided no success¬ 
ful challenge to Internet searching. Only a few cases have been brought. Litigation 
will be considered in further discussion. 

Decisions by the Supreme Court and other federal courts in general have upheld 
the rights of individuals to protection of their information (e.g., postings) if there 
is a reasonable expectation of privacy. Under the Fourth Amendment, the location 
where the reasonable expectation of privacy exists is usually interpreted as in ones 
home, but that has been extended by court decisions to include other places where 
privacy can be expected (e.g., in a phone booth or hotel room). Although a laptop 
or handheld device would normally have the same protections as ones information 
at home, technology changes, border antiterrorist efforts, massive-scale intelligence 
collection, and the extremely fungible nature of large files on small storage devices 
are raising new legal questions. On the Internet, a network, or even a person’s com¬ 
puter, the privacy of a venue and users’ expectation of privacy may often depend on 
the authorized use policy (AUP) of the website (online servers) and the efficacy of 
data protection. Where the terms of use call for recognition of individual privacy 
rights, presumably a collector of information should abide by the AUP or face the 
possibility that information found may not be legally usable in any court or admin¬ 
istrative procedure. Collection itself may even be deemed illegal if it is considered 
to be for an illegitimate purpose under US federal criminal statutes. 

Following are some comments on constitutional rights relating to Internet 
search: 


The First Amendment right to free speech does not mean that there will be no 
penalty for expressing views that may be offensive, illegitimate, or destructive. 
For example, an employee publishing harsh criticism of his employer online may 
be fired. The exception to such an action might be an employee commenting on 
the fairness of his employer or about a topic like compensation, which might be 
protected under National Labor Relations Board (NLRB) laws or regulations 
pertaining to employee/union rights. The misperception among some people that 
self-expression is exempt from repercussions because of the First Amendment has 
muddled understanding of valid privacy rights and the right of an employer to 
protect its reputation. 

Fourth Amendment protection against unreasonable search and seizure has 
been challenged by modern technologies. The interconnectivity of the World 
Wide Web, dependent as it is on both private and public connections, exposes 
communications and postings to view by literally billions of people, sometimes 


Copyrighted material 



Laws ■ 85 


on purpose and sometimes by accident. When a posting is freely accessible to 
many Internet users, it is reasonable to expect that law enforcement, an employer, 
or literally any user may access that posting and react as they are legally entitled. 
An investigator should be expected to observe that which is obvious (e.g., pub¬ 
lished online) and to collect as evidence information pertaining to a case that is in 
plain view. Although a person of interest may not intend for a posting to become 
visible to the investigator, the person may not enjoy a constitutional protection 
against its use in court or in an adverse action. Wireless communications may 
place packets transmitted openly by radio within “hearing” of “listeners” within 
range—rendering such content accessible to unauthorized parties. Even though 
interception of data from wireless devices such as cell phones may be illicit, users 
find themselves vulnerable to electronic surveillance by anyone with the means to 
do so. Use of illicitly obtained data would be generally inadmissible for any adverse 
action and might violate federal laws against illegal electronic surveillance. 

The Fifth Amendment can raise issues about the use of postings in court, 
depending on the judge s interpretation of the nature of the postings (e.g., hearsay, 
private communications, and diaries obtained without process). 

The Sixth Amendments right to face an accuser in court may preclude anony¬ 
mous postings or those from unavailable witnesses from being used against the 
accused in court. 


Constitutional rights come into play in state courts, as well as federal courts, 
and state constitutions (which follow the US Constitution in most respects) also 
apply to court interpretations of evidence obtained online. 


Statutes 

A review of US laws that may have an impact on Internet searching for informa¬ 
tion on individuals was conducted. These statutes regulate investigations to varying 
degrees, depending on the purpose, methods used, and resulting actions. Based 
on this review, the key issues are the methods used to retrieve the data, the uses to 
which Internet search results are put, and how decisions are made based on find¬ 
ings. Relatively new state statutes and proposed laws restrict what employers can 
require candidates and employees to reveal about their online activities and creden¬ 
tials. Following is a summary of those laws deemed most relevant. 


Federal Statutes 

The Privacy Act of 1971, as amended : 2 Controls government collection, use, and 
protection of personally identifying information and limits the extent to 
which federal agencies can disclose records: An individual must consent in 
writing, a court order must be issued, or the disclosure must fall within one 
of the statute s exceptions. The Privacy Act does not address personal infor¬ 
mation collected by private parties, such as data brokers, collection agencies, 


Copyrighted material 



86 ■ Cybervetting 


or consumer credit groups. A privacy impact assessment is required when a 
government agency establishes a new information system used to store data, 
including personally identifying information. 

The Public Information Act (Freedom of Information Act)'? Governs disclosure 
of US Government information, with exemptions for law enforcement and 
intelligence investigative files. The Disclosure of Confidential Information 
Act provides criminal penalties for unauthorized disclosure of specified 
classes of information by government officers and employees. 

Health Insurance Portability and Accountability Act of 1996 (HIPA A), Gramm- 
Leach-Bliley Act of 1999, and Sarbanes-Oxley Act of2002? Several statutes, 
including these three, provide for the protection of sensitive, personally iden¬ 
tifying information in the hands of the health industry, financial services, 
and consumer services enterprises. 

The USA Patriot Act, Public Law 107-56, 2001? The Patriot Act does not spe¬ 
cifically address investigations of candidates for employment or clearances, 
except for drivers of hazardous cargo vehicles, who must meet federal stan¬ 
dards for licensing based on a background investigation. Ihe Patriot Act 
authorizes government surveillance and information collection activities, 
including electronic surveillance, designed to prevent terrorism, under appro¬ 
priate legal authority (e.g., a warrant, subpoena, or national security request). 
Large-scale government data collection and analysis activities for counter¬ 
terrorism purposes were revealed by Edward Snowden, a former National 
Security Agency (NSA) contractor and Central Intelligence Agency (CIA) 
employee, who admitted to hacking inside government systems to obtain, 
and then leak to media outlets, a large quantity of documents about sensi¬ 
tive US Government collection methods. Several types of collection allow 
governments to amass and exploit large data sets to find indicators of terrorist 
and criminal behaviors. The Patriot Act’s authorizations have been reviewed 
by Congress and courts and may be amended because of frequent political 
debates about the proper limits of government surveillance. Snowden’s leaks 
have sparked debates about not only government actions but also those of 
various service providers who assisted the government in its intelligence 
functions. Historically, Americans are apt to demand more robust secu¬ 
rity to prevent attacks like that which occurred 9/11/2001 but to demand 
less-intrusive security when attacks seem to be contained or are in the past. 
This debate about sufficiency of intelligence collection is relevant to Internet 
searches because open-source data, including that of the Internet, have 
become evermore important to intelligence collection of all types. 

The Fair Credit Reporting Act (FCRA), Public Law 91-508 (Title VI § 601)? 
Regulates consumer reports and consumer reporting agencies, establishing 
standards for the collection and dissemination of credit information and con¬ 
sumer reports, including reports of background investigations conducted by 
contract firms (but not by employers themselves) establishing eligibility for 


Copyrighted material 



Laws ■ 87 


employment. Key provisions include the ability of the subject of a consumer 
report to review it and correct information deemed inaccurate. The FCRA 
protects prospective and onboard employees and must be the basis for policy 
principles established for Internet vetting by the private sector. The FCRA is 
examined further in this chapter. 

Electrojzic Communications Privacy Act of1986 (ECPA) I Protects wire, oral, and 
electronic communications while in transit by requiring warrants for inter¬ 
ception and protects communications held in electronic storage (i.e., mes¬ 
sages stored on computers). Law enforcement and investigators must obtain 
warrants or use other specified processes to obtain communications and 
customer account data. Protects private communications from third-party 
access, such as Internet service providers (ISPs). ECPA does not restrict col¬ 
lection of data legitimately posted on the public Internet or regulate the per¬ 
sonal information that may be made available by users who willingly post 
such information. ECPA also does not protect employees’ communications 
conducted on employers’ systems. Some litigation under ECPA has served to 
clarify its reach. 

Title X, Homeland Security Act of 2002, and Title III E Government Act of 
2002 , amending the Federal Information Security Management Act (FISMA) 
of2002:* These statutes require that federal programs include information 
technology training programs and security awareness training for personnel 
and contractors that include information security risks and responsibilities 
involved in reducing those risks. 

The Computer Fraud and Abuse Act (Title 18, Part I, Chapter 47, § 1030)2 
Forbids, with other federal criminal statutes, criminal activities that occur in 
the physical world, when they take place in cyberspace, and crimes facilitated 
by computers. US computer crime is the province of the Computer Crime 
and Intellectual Property Section of the US Department of Justice (infor¬ 
mation can be found at http://www.justice.gov/criminal/cybercrime/), which 
posts much helpful information about computer-related crime and intellec¬ 
tual property protection. Many types of street crimes (e.g., sale of pirated 
movie DVDs on the streets in Manhattan and Beijing) are also found on 
the Internet (where millions of users monthly patronize about 1,000 pirate 
sites offering films, videos, music, and software). This statute and others 
make it unlawful for an unauthorized person to access computers and data. 
The unauthorized access provision is controversial among some people, who 
believe that when information is stored on a system to which they can gain 
access, its ownership rights have been forfeited by its possessor. As a popular 
TV show about a master hacker said, “If they didn’t want me to see it, why 
didn’t they protect it better?” Most prosecutions under this act are based on 
demonstrable harm done by intrusions to systems or their owners. Recently, 
the number and seriousness of intrusions to businesses and institutions have 
raised alarms about the integrity and security of online systems as a whole. 


Copyrighted material 



88 ■ Cybervetting 


Although the number of successful black-hat hackers may be small, their 
impact has increased because of the volume of people affected by breaches. 
The number of people involved in less-serious illicit acts online, such as copy¬ 
right violations, remains high. Because millions of people engage in unlaw¬ 
ful activities on the Internet, it is unlikely that most of them, given today’s 
enforcement situation, will ever be charged with crimes. 

The Computer Security Act of1987 (Public Law 100-235): w This act, subsequent 
statutes, and appropriations aim to strengthen the security of government 
computers, networks, and data and assign establishment of computer security 
standards to the National Institute of Standards and Technology (NIST) 
and other federal agencies, including training of federal systems users and 
security measures. 

The Children's Online Privacy Protection Act (COPPA): u Regulates the informa¬ 
tion that can be collected about preadult Internet users by websites and other 
commercial online service providers. COPPA is an example of the concern 
that the Congress has expressed in statutes, hearings, and studies about the 
best ways to protect the privacy of all Internet users from collection of per¬ 
sonally identifiable transactional data by ISPs, websites, and advertisers. The 
Federal Trade Commission updated its guidance for business, parents, and 
small entities in July 2013, emphasizing the goal, which is to put parents in 
charge of what is publicly available from children 13 years old or younger. 12 

Copyright (Title 17, U.S. Code) and Uruguay Round Agreements Act (implement¬ 
ing international copyright treaties J: 13 Protects authors of original works that 
are fixed in a tangible form of expression, both published and unpublished, 
giving the author exclusive rights to do and authorize reproduction, distribu¬ 
tion, public performance, or display, with fair use and licensing restrictions. 
Registration and marking of copyrighted material are not necessary for copy¬ 
right protections to apply. Infringement of copyright can be a federal civil 
or criminal matter, enforced by the courts, including damages, injunctions, 
and impoundment. Providing false contact information to a domain name 
registry creates a rebuttable presumption that the infringement was willful. 
Criminal infringement includes fines and incarceration for commercial, for- 
profit misuse, including illicit distribution by computer networks. ISPs are 
exempt if violations are committed by network users and not the ISPs. 

Federal background screening laws : Besides the FCRA, federal statutes control¬ 
ling background screening and related employer-employee issues include the 
National Labor Relations Act (NLRA), the Driver’s Privacy Protection Act, 
the Civil Rights Act of 1964, Title VII of the Civil Rights Act 1996 (com¬ 
monly referred to as Title VII), the Americans with Disabilities Act, the Federal 
Bankruptcy Act, the Employee Polygraph Protection Act, and the Family 
Educational Rights and Privacy Act, as well as guidelines set by the Equal 
Employment Opportunity Commission. None addresses cybervetting. The 
NLRB has brought actions against employers who have sanctioned employee 


Copyrighted material 



Laws ■ 89 


postings related to unionizing, wages, benefits, or working conditions, which 
are considered protected under the NLRA. An emerging area of law is defin¬ 
ing the limitations on employers whose rules about what employees say online 
that could potentially harm the enterprises reputation are considered to limit 
employees’ right to address NLRB-regulated employer-employee relationships. 
“The National Labor Relations Act protects the rights of employees to act 
together to address conditions at work, with or without a union. Ihis protec¬ 
tion extends to certain work-related conversations conducted on social media, 
such as Facebook and Twitter.” 14 


State Statutes 

California statute: Unauthorized Access to Computers y Computer Systems and 
Computer Data (California Penal Code Section 502-502.08):^ From the statute: 

It is the intent of the Legislature in enacting this section to expand 
the degree of protection afforded to individuals, businesses, and 
governmental agencies from tampering, interference, damage, 
and unauthorized access to lawfully created computer data and 
computer systems. The Legislature finds and declares that the 
proliferation of computer technology has resulted in a concomi¬ 
tant proliferation of computer crime and other forms of unau¬ 
thorized access to computers, computer systems, and computer 
data. The Legislature further finds and declares that protection of 
the integrity of all types and forms of lawfully created comput¬ 
ers, computer systems, and computer data is vital to the protec¬ 
tion of the privacy of individuals as well as to the well-being of 
financial institutions, business concerns, governmental agencies, 
and others within this state that lawfully utilize those computers, 
computer systems, and data. 

California Database Protection Act (CDPA), CA Civil Code § 1798.82; Consumer 
Credit Reporting Agencies Act, CA Civil Code § 1798.16; California Investigative 
Consumer Reporting Act y CA Civil Code 5 1798.83-84; U.S. Comptroller of the 
Currency guidance to national Banks y OCC Bidletin 2005-13:14 : 16 The CDPA, 
which took effect in July 2003, mandates public disclosure of computer secu¬ 
rity breaches in which confidential information may have been compromised. 
The law covers state agencies and all private enterprises doing business in 
California. Any entity that fails to disclose that a breach has occurred could 
be liable for civil damages or face class action lawsuits. Personal confidential 
information includes first and last names in conjunction with the follow¬ 
ing data: Social Security number, driver’s license or California identifica¬ 
tion card (CID), account number, and credit or debit card number with any 
required security code, access code, or password that would permit access to 
an individual’s financial account. The US Comptroller of the Currency issued 


Copyrighted material 



90 ■ Cybervetting 


guidance requiring national banks to notify customers of data breaches that 
include sensitive customer information. California state laws governing back¬ 
ground checks include the California Consumer Credit Reporting Agencies 
Act and the California Investigative Consumer Reporting Act, which expand 
on the requirements of the federal FCRA. Federal proposals to legislate simi¬ 
lar requirements continue. 

Examples of other relevant state statutes '. 17 California Civil Code § 1798.83-84 
and Utah Code §§ 13-37-101, 102, 201, 202, 203 require all nonfinancial 
businesses to disclose to customers the types of personal information that the 
businesses sell or share with third parties for marketing purposes or for a fee. 
Minnesota §§ 325M.01 to .09 prohibit disclosure of an ISP customer’s person¬ 
ally identifying information, stored data, and surfing history, except to law 
enforcement, and provides for civil damages. Nevada § 205.498 requires ISPs 
to keep confidential all but a customer’s e-mail address and requires keeping 
e-mail addresses confidential if a customer so requests, subject to fines for 
violations. Delaware § 19-7-705 and Connecticut General Statutes § 31-48d 
prohibit an employer from collecting e-mail contents and Internet surfing data 
of employees without written notice, imposing civil penalties for violations. 
Exceptions are made for criminal investigations. At least 16 states have statutes 
that require government websites to establish privacy policies and procedures. 

A good example of state approaches to guidelines for social media use by state 
employees and contractors is the state of Oklahoma Social Networking and Social 
Media Policy and Standards, Revised September 14, 2011 (originally published 
March 18, 2010). It treats posting policy and security, but not cybervetting. The 
purpose states, “Office of Management and Enterprise Services (OMES) ... and 
the Oklahoma Office of the Attorney General have been working as a part of a col¬ 
laborative effort involving the National Association of Attorneys General (NAAG) 
and the National Association of State Chief Information Officers (NASCIO) work¬ 
ing on Terms of Service agreements with a broad range of social media providers 
who offer free services to users.” 18 

In a January 2014 update on Internet privacy statutes, the National Conference 
of State Legislatures (NCSL) stated: 19 

Two states, Nevada and Minnesota, require Internet Service Providers 
to keep private certain information concerning their customers, unless 
the customer gives permission to disclose the information. Both 
states prohibit disclosure of personally identifying information, but 
Minnesota also requires ISPs to get permission from subscribers before 
disclosing information about the subscribers’ online surfing habits and 
Internet sites visited. 

Minnesota Statutes §§ 325M.01 to.09 
Nevada Revised Statutes § 205.498. 


Copyrighted material 



Laws ■ 91 


In addition, NCSL reported: 

State lawmakers introduced legislation beginning in 2012 to prevent 
employers from requesting passwords to personal Internet accounts to 
get or keep a job. Some states have similar legislation to protect students 
in public colleges and universities from having to grant access to their 
social networking accounts. ... As of April 10, 2014, legislation has 
been introduced or is pending in at least 28 states, and enacted in one 
state—Wisconsin—so far in 2014. 

These proposed statutes appear to focus on keeping social networking user 
names and passwords private, but some go beyond and forbid employers and other 
authorities from requiring a person to display or divulge personal social networking 
profiles. 20 One example of a state statute that has gone into effect is in Nevada, where, 
as of October 1, 2013, it became illegal for an employer to require, request, or even 
suggest that an employee or a prospective employee disclose the user name, password, 
or other access information to his or her personal social media account. 21 

In federal and state laws, both the US Congress and the states have passed 
statutes aimed at protecting the privacy of computer and Internet users across the 
board. Many of the statutes restrict government collection and use of data without 
placing similar restrictions on the private sector. However, no law found prohibits 
the collection of publicly posted information on the Internet for a lawful purpose. 


Federal Rules of Evidence and Computer Records 

The most recent (2013) versions of the Federal Rules of Evidence, Federal Rules 
of Criminal Procedure, and Federal Rules of Civil Procedure 22 contain almost no 
references to the Internet, except mention of publication online of government 
information. 4he Rules of Evidence do not even contain the words Internet , cyber , 
or digital . However, they do treat u data stored in a computer or similar device” 
and state that “a reference to any kind of written material or any other medium 
includes electronically stored information.” The rules apply the same standards for 
acceptability based on the reliability and trustworthiness of records and informa¬ 
tion, whether they are computerized or not. 23 They state, “For electronically stored 
information, ‘original’ means any printout—or other output readable by sight—if 
it accurately reflects the information.” 2 ‘ 

To address the issues of admissibility and authenticity of evidence as viewed by 
a court of law, the Federal Rules of Evidence are considered here, rather than those 
of each state, selected foreign countries, or some other approach, all of which might 
fall short of providing consistent and useful guidance. Because the states generally 
follow the federal approach, and this area of law is evolving with the technologies 


Copyrighted material 



92 ■ Cybervetting 


involved, the federal rules are deemed enlightening and sufficient. They are rooted in 
the Constitution (e.g., the Sixth Amendment right of an accused to face an accuser). 

Federal courts generally consider admitting computer records into evidence 
under an exception to the hearsay rule, which states (in relevant part): “Hearsay, 
[which] is a statement, other than one made by the declarant while testifying at 
the trial or hearing, offered in evidence to prove the truth of the matter asserted 
...is not admissible except as provided by these rules or by other rules prescribed 
by the Supreme Court pursuant to statutory authority or by Act of- Congress.” 
In lay terms, testimony by John that “Mary said Sam did it” usually would not 
be admitted in federal court. Exceptions to the hearsay rule include a recorded 
recollection, or a record of regularly conducted activity, such as a business record. 
Courts have analyzed the content and circumstances of computer records' creation 
to determine if they contain hearsay. If a person created the record (e.g., a docu¬ 
ment, spreadsheet, etc.), then its admissibility may depend on testimony to authen¬ 
ticate the content and assert that it is accurate as recorded (e.g., if it was information 
that a clerk normally enters in the course of business). If the computer itself created 
the record by processing data in a programmed fashion, then the record may not 
contain hearsay but may require someone to authenticate the information to be 
admitted. Of course, computer records often contain mixed data (i.e., those that 
are entered by a person, which courts interpret as containing hearsay, and those 
that result from automated processing). To have computer evidence admitted, then, 
a party must establish the authenticity of the record and that it falls under the 
hearsay rule exception. 25 

One reason for considering the Federal Rules of Evidence in connection with 
cybervetting and Internet intelligence is the reasoning behind the centuries-old 
court rules, which are based on British Common Law and American practice. The 
rules point to a central issue: the authenticity and veracity—“trustworthiness”—of 
the data. Essentially, all intelligence functions must face the same questions as 
the courts: Is this information real or somehow untrustworthy? Is the information 
likely to be true or false? Courts apply rules like the hearsay one to keep unreliable 
information out. As the Justice Departments guidance says: 

The hearsay rules exist to prevent unreliable out-of-court statements by 
human declarants from improperly influencing the outcomes of trials. 
Because people can misinterpret or misrepresent their experiences, the 
hearsay rules express a strong preference for testing human assertions 
in court, where the declarant can be placed on the stand and subjected 
to cross-examination. 26 

Among other responses to the challenges of admissibility of electronic evi¬ 
dence, the Maryland District of federal courts issued a Suggested Protocol for 
Discovery of Electronically Stored Information in the US District Court for the 
District of Maryland. 2 Because technical and physical norms for identifying and 


Copyrighted material 



Laws ■ 93 


authenticating documentary evidence when it is computerized are a focus of every 
court case in which such evidence is proffered, it is expected that case law will con¬ 
tinue to apply guides like those in the Maryland protocol. 

Clearly, computers can be used to create false or misleading records. Internet 
postings may contain humor, irony, fantasy, exaggeration, deliberate untruth—or 
factual documents. Because the intelligence analyst often cannot consult the cre¬ 
ator of the records, authentication and veracity can be difficult to judge. A key 
function of open-source intelligence is assembling and analyzing the factors that 
help determine the trustworthiness of the information found. 


International Treaties and Standards 

Among the international bodies addressing legal and privacy issues of the informa¬ 
tion society are the United Nations, the Organization for Economic Cooperation 
and Development, and the Council of Europe. The European Commission and 
European Union, as well as constituent nations, have strong privacy protection laws 
and directives that can be characterized as enforcement of the “opt-in” principle, 
meaning that for personally identifying information to be collected, the individual 
must agree to that collection. The 1995 EU Data Privacy Protection Act requires 
unambiguous consent for information to be gathered online, notice regarding why 
the information is collected, the ability to correct erroneous data, and the ability 
to opt out and to be protected against transfer of ones data to countries with lesser 
privacy protections. Nevertheless, an individual may elect to post personal infor¬ 
mation online for all to see. 

In the Council of Europe Convention on Cybercrime, 28 ratified by the United 
States in 2001 and in effect since January 1, 2007, convention signatories pledged 
to criminalize a wide range of computer-related illegal activities and to address 
electronic evidence, facilitate investigation of cybercrime, and obtain electronic 
evidence to prosecute all types of criminal investigations and proceedings. The 
convention reaffirms established principles of free expression and privacy and is the 
only binding international treaty on the subject to date. 

The European Union Data Protection Directive 29 applies to firms operating 
in the European Union and specifies that “personal data” must have “appropriate 
security,” compliant with either International Organization for Standardization/ 
International Electrotechnical Commission (ISO/IEC) 17799 or BS 7799-2; pro¬ 
hibits an individuals personal information from being accessed and employed for 
other uses; and requires appropriate measures to protect personal data. The EU 
directive was strengthened in 2012 to provide further personal data protections. 
The European Union is in conflict with the United States over privacy and data pro¬ 
tection standards and safeguards. The Canadian Personal Information Protection 
and Electronic Documents Act 30 regulates the use and collection of personal infor¬ 
mation via the Internet. The act applies not only to Canadian companies but also 


Copyrighted material 



94 ■ Cybervetting 


potentially to any entity that collects personal information in Canada or personal 
information from Canadian citizens. More sensitive information, such as patient 
records, should be safeguarded by a higher level of protection. Collection or use of 
personal information without knowledge and consent appears to be allowed by the 
act for appropriate, official purposes such as verification of the terms of employment. 

Existing laws that may relate to Internet searching can be summarized in a few 
short points: 

■ US statutes and legal practice do not forbid the lawful use of public Internet 
postings for intelligence, investigative, and vetting purposes. 

■ In Europe, Canada, and Asia, legal privacy protections may limit the types of 
data that can be collected and used from Internet sources. 

■ Misuse of personally identifying data, including failure to protect it ade¬ 
quately, can result in legal sanctions in the United States and abroad. 

■ The law tends to favor the agency or business that provides full disclosure 
and transparency to consumers, employees, and others, allowing them to 
see the information about them, correct it if necessary, and provide consent 
when data about them are used in a manner that may have an impact on 
their well-being. 

Although the US Constitution and statutes do not directly address issues related 
to Internet investigations, they shed light on the principles that should be adopted 
for fairness and ethical cybervetting. Additional support for the pillars of Internet 
search policy for government and private enterprises is found in Chapter 9. 


US Legislative Proposals 

About 145 bills were introduced in the US Congress in 2013 addressing privacy 
rights in one way or another, 31 but none treated the entire agenda announced by 
President Barak Obama. Efforts continued to encourage businesses to adopt pri¬ 
vacy principles originally created in the United States but adopted in law in Europe, 
Canada, and Asia and left to the market in the United States. A primary example 
is a bill proposed by the Obama administration labeled a Consumer Privacy Bill 
of Rights, 32 saying American Internet users should have the right to control per¬ 
sonal information about themselves collected online, to prevent data collected for 
one purpose being used for an unrelated purpose, to ensure information is held 
securely, and to know who is accountable for use or misuse of their personal infor¬ 
mation. Along with several reportedly more high-profile bills with a longer history 
of discussion (e.g., strengthening security of data protection), this proposal was not 
introduced as a separate bill and is not viewed as likely to be enacted into law. 


Copyrighted material 



Laws ■ 95 


Notes 

1. US Constitution, http://www.archives.gov/exhibits/chartcrs/constitution.html 
(accessed December 19, 2013). 

2. For the Privacy Act, see http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2. 
htm, which contains amendments (accessed August 10, 2010). 

3. Freedom of Information Act, http://www.justice.gov/oip/foia_updates/Vol_XVII_4/ 
page2.htm (accessed August 10, 2010). 

4. HIPAA, https://www.cms.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf (accessed 
August 10, 2010). Gramm-Leach- Bliley Act of 1999, http://banking.senate.gov/conf/ 
(accessed August 10, 2010). Sarbanes-Oxley Act of 2002, http://fll.findlaw.com/ 
news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf (accessed August 10, 
2010). 

5. USA Patriot Act, Public Law 107-56, 2001, http://thomas.loc.gov/cgi-bin/bdquery/ 
z?dl07:HR03l62:%5D (accessed August 10, 2010). 

6. Fair Credit Reporting Act (FCRA), Public Law 91-508, Title VI, § 601, http://www. 
ftc.gov/os/statutes/031224fcra.pdf (accessed August 10, 2010). 

7. Electronic Communications Privacy Act of 1986, http://www.it.ojp.gov/default.aspx? 
area=privacy&page=l 285 (accessed August 10, 2010). 

8. Federal Information Security Management Act (FISMA) of 2002, http://thomas.loc. 
gov/cgi-bin/bdquery/z?dl07:h.r.03844: (accessed August 10, 2010). 

9. Computer Fraud and Abuse Act, Title 18, Part I, Chapter 47, § 1030, http://www. 
justice.gov/criminal/cybercrime/1030NEW.htm (accessed August 10, 2010). 

10. Computer Security Act of 1987, Public Law 100-235, http://www.nist.gov/cfo/ 
legislation/Public%20Law%20100-235.pdf (accessed August 10, 2010). 

11. Childrens Online Privacy Protection Act (COPPA), http://www.ftc.gov/ogc/coppal. 
htm (accessed August 10, 2010). 

12. http://www.business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked- 
Questions#General%20Questions (accessed November 29, 2013). 

13. Copyright law, http://www.copyright.gov/titlel7/, http://www.copyright.gov/circs/ 
circ01.pdf, http://www.copyright.gov/titlel7/92chap5.pdf (accessed August 10, 2010). 

14. The NLRB and Social Media, http://www.nlrb.gov/news-outreach/fact-sheets/nlrb- 
and-social-media (accessed April 27, 2014). 

15. California Penal Code, Section 502-502.08, http://www.calpers.ca.gov/eip-docs/ 
utilities/conditions/502-ca-penal-code.pdf (accessed August 10, 2010). 

16. California Database Protection Act (CDPA), CA Civil Code § 1798.82, http://www. 
cybersure.com/documents/seminar/database_protection.pdf and http://www.ffiec. 
gov/ffiecinfobase/resources/info_sec/2006/occ-bul_2005-13.pdf (accessed August 10, 
2010). California Consumer Credit Reporting Agencies Act, CA Civil Code § 1798.16, 
http://law.onecle.com/california/civil/index.html (accessed August 10, 2010). California 
Investigative Consumer Reporting Act, CA Civil Code § 1798.83-84, http://www. 
privacy.ca.gov/icraa.htm (accessed August 10, 2010). 

17. For examples of state statutes, see http://www.ncsl.org/research/telecommunications- 
and-information-technology/state-laws-related-to-internet-privacy.aspx (accessed 
December 19, 2013). 

18. See http://www.ok.gov/cio/Policy_and_Standards/Social_Media/ (accessed April 27, 
2014). 


Copyrighted material 



96 ■ Cybervetting 


19. See http://www.ncsl.org/research/relecommunications-and-information-technology/ 
state-laws-related-to-internet-privacy.aspx (accessed April 27, 2014). 

20. See http://www.ncsl.org/research/telecommunications-and-information-technology/ 
employer-access-to-social-media-passwords-2013.aspx (accessed April 27, 2014). 

21. See http://www.laborlawyers.com/nevada-inquiring-about-personal-social-media-will- 
be-illegal (accessed December 19, 2013). 

22. US courts: http://www.uscourts.gov/uscourts/rules/rulcs-evidence.pdf, http://www. 
uscourts.gov/uscourts/RulesAndPolicies/rules/2010%20Rules/Criminal%20Procedure. 
pdf, http://www.uscourts.gov/uscourts/rules/civil-procedure.pdf. 

23. Federal Rules of Evidence, Rule 803. Exceptions to the Rule Against Hearsay— 
Regardless of Whether the Declarant Is Available as a Witness (6), http://www. 
uscourts.gov/uscourts/rules/rules/evidence.pdf (accessed July 16, 2014). 

24. Federal Rules of Evidence, Article X. Contents of Writings, Recordings, and 
Photographs, Rule 1001. Definitions That Apply to This Article, http://www.uscourts. 
gov/uscourts/rules/rules/evidence.pdf (accessed July 16, 2014). 

25. Kerr, Orin S., Computer Records and the Federal Rules of Evidence, US Attorneys' USA 
Bulletin , 49(2), 2001, http://www.cybercrime.gov/ (accessed August 10, 2010). 

26. Computer Crime and Intellectual Property Section, Criminal Division, US Department 
of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in 
Criminal Investigations (Manual), July 2002, Appendix F updated December 2006, 
http://www.cybercrime.gov/s&smanual2002.html (accessed August 10, 2010). 

27. See http://www.mdd.uscourts.gov/news/news/ESIProtocol.pdl (accessed April 27, 
2014). 

28. Text of Council of European Convention on Cybercrime, accessible at http://www.coe. 
int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp. 

29. European Union Data Protection Directive and links to individual countries’ laws, see 
http://ec.europa.eu/justice_home/fsj/privacy/law/imple- mentation_en.htm (accessed 
January 17, 2014). 

30. Canadian Personal Information Protection and Electronic Documents Act (S.C. 2000, 
c. 5), http://laws.justice.gc.ca/eng/acts/P-8.6/ (accessed January 17, 2014). 

31. http://thomas.loc.gov/cgi-bin/thomas, accessed January 28, 2014. 

32. The White House, Washington, DC, Fact Sheet: Plan to Protect Privacy in the Internet 
Age by Adopting a Consumer Privacy Bill of Rights, http://www.whitehouse.gov/ 
the-press-office/2012/02/23/fact-sheet-plan-protect-privacy-internet-age-adopting- 
consumer-privacy-b (accessed January 28, 2014). 


Copyrighted material 



Chapter 8 


Litigation 


Introduction 

The intent of this chapter is not to provide a review of all of the relevant court 
decisions or to argue the privacy issues of cyberspace. It provides no legal advice 
or analysis but rather describes selected litigation and related information deemed 
to illuminate key issues regarding Internet searching of persons, legal persons, and 
entities in law terms. Relatively few court decisions were found that directly con¬ 
cern Internet searching, and few legal reviews of employment disputes, and other 
sensitive issues, such as privacy, along with cases for which admissibility of elec¬ 
tronic evidence issues were adjudicated. Therefore, topical reviews were conducted 
of decisions that could be used as precedents in a case where an Internet search 
led to a lawsuit or was used as guidance to professionals seeking to understand 
the proper way to conduct cybervetting. Commentary is included in an effort to 
explain potential relevance to this issue. 


Internet Search Litigation 

A few cases involving claims relating to an employer conducting Internet searching 
on an employee or applicant were found. In one case, the US Court of Appeals for 
the Federal Circuit affirmed the firing of a US Government employee on a nonprec- 
edential basis. 1 The employee claimed that “his guaranteed right to fundamental 
fairness was seriously violated” when his supervisor used Google to search his name 
and learned and improperly considered that he previously had been removed from 
a position by the Air Force. However, the court found that the employee himself 
told his supervisor that he had been subject to employment proceedings before, 

97 


Copyrighted material 


98 ■ Cybervetting 


ruling his due process rights were not infringed in over 100 supported charges of 
misconduct. A legal comment on this case noted that if an employer “hunts down 
information on the Internet as a pretext for firing an employee for a truly improper 
motive, such [as] unlawful discrimination based on race, gender or age, such con¬ 
duct would not be embraced by the law”; “on the other hand, if an employer learned 
on the Internet that an employee was engaging in conduct harmful to the employer, 
such as disclosing company trade secrets or defaming the company, that may be 
grounds for termination.” 2 

Numerous other cases have been filed, but none so far has resulted in decisions 
against employers where information posted on the public Internet is concerned. 
Here are some of the more interesting cases: 

In a 2006 New Jersey case, Pietrylo et al. v. Hillsto?ie Restaurant Group , bartender 
Brian Pietrylo and waitress Doreen Marino sued after their termination by 
Houston’s Restaurant (Hillstone) for posting derogatory and obscene comments 
on a password-protected MySpace profile, claiming that in their restricted group, 
privacy-protected postings were not meant for public viewing. A third employee 
was allegedly coerced into providing her log-in information to a manager, who 
shared the sites contents with other managers, who fired Pietrylo and Marino. A 
New Jersey court held, and the New Jersey Federal District Court affirmed, that the 
restaurant’s managers violated the Stored Communications Act and the New Jersey 
Wiretapping and Electronic Surveillance Act by accessing the MySpace page with¬ 
out authorization. However, the court ruled on an invasion-of-privacy claim that 
the plaintiffs had no reasonable expectation of privacy on MySpace. 3 A federal jury 
awarded the two a total of $3,400 in back pay and $13,600 in punitive damages. 4 

Comment : It is clear that courts will have little sympathy for employers who 
gain illicit or illegal access to postings and then take adverse action against 
employee-posters. However, the extent to which a posting is protected has limita¬ 
tions. Coercing someone to provide unauthorized access appears to be a step less 
acceptable than being given access voluntarily. However, if the site policy clearly 
restricts access to and use of content, it is unlikely that the employer will have 
free rein to act solely on what is found in postings. As yet untested are situations 
in which large numbers of persons have authorized access to defamatory post¬ 
ings, and the courts in the New Jersey case indicated that the employees did not 
have a valid invasion-of-privacy claim because they had no reasonable expectation 
of privacy on MySpace. With well over a billion users of Facebook, one could 
hardly argue that a post available to all Facebook users enjoyed privacy protection, 
regardless of the websites policy. 


In a 2012 case, a 25-year-old Peoria, Arizona, police officer posted a photo on 
Facebook of several individuals with guns holding up a bullet-hole riddled tee 
shirt depicting President Barak Obama. 3 Investigations by the Secret Service and 
the Peoria Police Department led to his demotion and suspension without pay for 
violation of its social media policy and because he discredited the department. The 
punishments were upheld on appeal. 

Comment'. First Amendment cases involving public employees’ speech have a 
history long before social media and often hinged on whether the employee made 


Copyrighted material 



Litigation ■ 99 


statements in their official capacity or as a private citizen. Law enforcement officers 
are considered even more restricted in their speech than other public servants. As 
the Supreme Court noted in the Garcetti case ( Garcetti v. Ceballos , 547US410 
(2006)): “When a citizen enters government service, the citizen by necessity must 
accept certain limitations on his/her freedom.” Government employers have the 
ability to retain control over speech that “owes its existence to a public employees 
professional responsibilities.” 


In the case titled City of San Diego v. Roe (Supreme Court, 2 004), 6 a police officer 
who was terminated after the department learned of his sexually explicit off-duty 
behavior claimed his firing violated his First Amendment rights. The officer had 
made a video of himself stripping off his police uniform and masturbating, then 
sold, on the adults-only section of eBay, the video and other items that connected 
him to the San Diego Police Department. The Supreme Court, in reversing the 
9th Circuit Court, upheld the city’s decision to terminate Roe because the police 
department “demonstrated legitimate and substantial interests of its own that were 
compromised by Roe’s speech,” and Roe’s sexually explicit conduct “brought the 
mission of the employer and the professionalism of its officers into serious disre¬ 
pute.” No balancing of interests was necessary as Roe’s conduct did not touch on 
a matter of public concern. 


It is safe to say that there will be plenty of litigation exploring the limits of pri¬ 
vacy protections on the Internet. However, it is also obvious that public postings 
have no current, legal privacy protections, and courts have consistently held so. 


Anonymity 

In 1958, the Supreme Court held Alabama’s demand for the identities of all mem¬ 
bers and agents of the NAACP (National Association for the Advancement of 
Colored People) unconstitutional, declaring that anonymity was essential to free 
speech and association, exercise of which would be impaired by disclosure. The 
court held that forcing the NAACP to disclose its membership lists was “likely 
to affect adversely the ability of [the NAACP] to pursue their collective effort to 
foster beliefs which they admittedly have the right to advocate.” 7 

Comment'. Anonymity enables a wide range of public activities on the Internet, 
in which those posting information publicly are responsible for deciding whether 
or not, and in what manner, attribution is included. A number of federal and state 
courts have held that an enterprise cannot cause a court to require disclosure of 
the posting individual merely because the material is insulting to the enterprise. A 
substantial number of businesses have been known to me to investigate illicit and 
untrue postings to determine who made them. In some cases, it is possible to iden¬ 
tify individuals attempting anonymity whose postings include clues to their identity. 


In Griffin v. State of Maryland, the Maryland Special Court of Appeals upheld 
the murder conviction of Griffin, approving a Cecil County Court judge’s ruling 
allowing introduction of the MySpace page of Griffin’s girlfriend to corroborate 


Copyrighted material 



100 ■ Cybervetting 


testimony of a key eyewitness that he had declined to testify in a first trial with a 
hung jury because of threats on his life. The judge allowed the MySpace page into 
evidence because of compelling circumstantial evidence, including the use of the 
girlfriend’s photo with Griffin, her date of birth, number of children, and Griffin’s 
nickname, among other things. Defense counsel objected that the MySpace profile 
owner “Sistasouljah” had not been conclusively verified as the girlfriend prior to 
introduction into evidence. The trial and three-judge appeals panel unanimously 
agreed that despite the use of a pseudonym, she had identified herself by photo 
and personal background information. 8 On April 28, 2011, the Maryland Court 
of Appeals reversed the Court of Special Appeals, 9 holding “that the pages alleg¬ 
edly printed from Griffin’s girlfriend’s (Barber) MySpace profile were not properly 
authenticated.” The appeals court was particularly concerned with the possibility 
of hacking and suggested that additional forensic evidence to establish the post¬ 
ing’s authorship and attribution was necessary and remanded the case for retrial. 

Comment'. This ruling may suggest that judges will accept good circumstantial 
grounds for identification of a person with Internet postings, provided that the 
details are sufficient and clear. In this case, the murderer was included in a photo 
on the MySpace posting with his girlfriend, whose blatant threat against the eye¬ 
witness, her date of birth, boyfriend’s nickname, number of children, and other 
details provided convincing corroboration to support the prosecution’s introduc¬ 
tion of the MySpace page. A Maryland State policeman testified about the profile 
outside the jury’s hearing, prior to the judge’s allowing its introduction into evi¬ 
dence. However, the evidence provided at trial did not include verification from 
the girlfriend or her computer that she posted the threatening message that caused 
a witness to change his testimony between a first hung jury trial and the second 
trial, which resulted in conviction. The lessons from this case for Internet investiga¬ 
tors are that every detail that corroborates or may shed doubt on the identification 
of online content is important and should be assembled to verify the relevance, 
attribution, and authentication of the facts reported. Otherwise, the information 
found online may have lead or intelligence value, but it may not be considered 
probative by the courts. 


Expectation of Privacy 

In 1967, the Supreme Court established the principle that individual privacy pro¬ 
tection (rather than property protection) extends the Fourth Amendment shield to 
include what a person “seeks to preserve as private”—in this case, a telephone call 
in a public area. The court used a two-part test to determine when an individual 
has a “reasonable expectation of privacy”: whether government action violated an 
individual s subjective expectation of privacy and whether that expectation of pri¬ 
vacy was reasonable (an objective test). 10 One year later, in 1968, Title III of the 
Omnibus Crime Control and Safe Streets Act was passed, requiring law enforce¬ 
ment to seek a warrant for electronic surveillance. 11 Subsequent lower federal court 
decisions have found, under more recent laws, including those recounted previ¬ 
ously, that a reasonable expectation of privacy has a variety of nuances, depending 
on the type of communication and the situation. 


Copyrighted material 



Litigation ■ 101 


Comment : Courts have ruled unanimously that publicly posted information 
on the Internet carries no reasonable expectation of privacy. More on this topic 
appears next. 

The Supreme Court ruled on a constitutional privacy suit brought by patients and 
doctors against a New York State statute requiring physicians to report prescrip¬ 
tions for “potentially harmful” drugs to the state. Because the statute included 
security requirements and use and retention limits for the computer files main¬ 
tained, the court found the statute constitutional, stating that the privacy argu¬ 
ments were not sufficient to invalidate the law, which was a reasonable exercise of 
the states police powers in view of the privacy and security safeguards employed. 12 

Comment'. Security protection for personally identifying information on 
employees, applicants, and other persons ensures that information collected 
through background investigations, including Internet searching, poses no unrea¬ 
sonable security or privacy threat to candidates and employees. Requiring dis¬ 
closure of Internet activities that could relate to employment as a condition of 
a successful background screening is a proper exercise of employer discretion, 
provided that the information collected is handled and utilized in a lawful, fair, 
secure manner. 


The Supreme Court ruled that a police pen register did not constitute a violation of 
the Fourth Amendment because the user of a telephone had no reasonable expec¬ 
tation of privacy in the numbers dialed from a home phone. 13 (A pen register is 
a device that records numbers dialed to and from a telephone, without providing 
call content.) 

Comments'. Posting of information by an individual on the public Internet 
makes that information available to everyone. When users create a public profile, 
those users have no Fourth Amendment right to protection of that profile because 
they consented to the terms of the website to gain free access to postings. Most 
websites have privacy and use policies that spell out what happens to data pro¬ 
vided by users. In recent years, Facebook and Google (among others) have been 
criticized for privacy policy changes, including loopholes in privacy protections 
that can be invoked by users to keep their data from public view (e.g., making 
their text and photo postings available only to selected friends and family). When 
changes to privacy settings exposed postings to unintended viewers, many social 
networkers loudly complained. Ironically, social networking and Internet service 
provider (ISP) websites admittedly mine users’ data for marketing purposes, which 
creates another privacy issue. A substantial percentage of social network users, in 
my experience, place few or no privacy limits on their postings, which is consistent 
with findings of a 2012 Pew survey of teens’ social network privacy settings, which 
showed that most posted personal details publicly. 14 


The US Court of Appeals for the Armed Forces upheld the conviction of an offi¬ 
cer on child pornography and obscenity-related charges, finding that seizure of 
e-mail and other computer data under a federal warrant was proper, and that after 
an e-mail was received by the recipient, the sender’s privacy interest in its stored 
content was low, and collection by law enforcement was not subject to the controls 
relating to interception of an e-mail in transit. 15 


Copyrighted material 



102 ■ Cybervetting 


Comment : Some of the data posted to the Internet, such as controversial or 
offensive blogs, chats, profiles, comments, photos, videos, and message board 
content, may be regrettable, and individuals involved may wish the data were 
not online. However, an individual’s control and privacy interest may be limited 
after posting. 


In United States v. Charbonneaa, a federal court ruled that a participant’s e-mail 
and postings in an Internet chat room used to distribute child pornography hold 
no reasonable expectation of privacy, and the defendants motion to suppress the 
evidence was denied. Once the e-mail is sent, the sender loses privacy protections 
when the e-mail (like a letter) is in the hands of the recipient. A posting in a chat 
room, where an undercover agent is observing postings, has even less privacy pro¬ 
tection, and anything said on the chat is admissible in court. 16 

Comment : This decision appears consistent with findings in all court jurisdic¬ 
tions where open-source public information, such as that posted on the Internet, 
is concerned. Chat rooms and their logs are worthy of further discussion, which 
appears in the material that follows. 


In Davis v. Gracey , the US Court of Appeals for the 10th Circuit dismissed the 
claimants’ assertion that evidence seized on a warrant should be suppressed under 
the First and Fourth Amendments, the Privacy Protection Act (PPA), 42 U.S.C. 
2000aa-2000aa-12, and the Electronic Communications Privacy Act (ECPA), 
18 U.S.C. 2510-2711, ruling that a good faith reliance on a court order or warrant 
is a complete defense to any action brought under the ECPA. To be in good faith, 
reliance on the warrant or court order must be objectively reasonable. The court 
ruling enabled a federal district court trial and conviction of the claimants based 
on the evidence. 17 

Comment : This is an example of defendants’ claims of privacy rights that would 
supersede a warrant (i.e., a finding by a judge that a crime has been committed and 
evidence of the crime should be seized in the manner specified). It is possible that 
persons denied employment or a clearance as a result of information found on the 
public Internet will claim a violation of their privacy rights. Nevertheless, privacy 
rights clearly do not apply to public data. 


The 9th Circuit Court of Appeals held in 2007 in United States v. Ziegler that 
although an employee of a commercial firm had a reasonable expectation of 
privacy in his locked (nonshared) office space, the employer had the right to 
monitor his computer use, retrieve copies of his hard drive using a company key, 
and turn the copies over to the Federal Bureau of Investigation (FBI), resulting 
in his conviction on Internet access to child pornography charges. The court 
said that computers are “the type of workplace property that remains within the 
control of the employer even if the employee has placed personal items in it.” 18 


In Konop v. Hawaiian Airlines , the Ninth US Circuit Court of Appeals overturned 
a federal district court, ruling that a personal, restricted website on which Konop, a 
pilot, posted critical comments about his airline employer and labor concessions 
sought by the airline were considered protected activity, and unauthorized access 


Copyrighted material 



Litigation ■ 103 


could constitute violations of the federal Wiretap Act, 18 USC §§ 2510-2520, 
and the Stored Communications Act, 18 USC §§ 2701—2710. Airline executives 
accessed Konop’s website using other employees’ log-in information and clicked 
to affirm that they would abide by the site’s confidentiality policy—violating that 
policy against unauthorized access. Hawaiian later placed the pilot on medical 
suspension, which Konop claimed was in retaliation for his union activity. In 
court, the airline argued that the pilot’s postings were false, defamatory, and out¬ 
rageous, but the appeals court held that they were within the bounds of labor laws 
and returned the case to a lower court, reinstating Konop’s lawsuit. 19 


In June 2009, the city of Bozeman, Montana, was widely criticized when the AP 
(Associated Press) and other media outlets published the fact that applicants for 
city positions were being asked to provide passwords to access social networking 
and other websites to which candidates belonged. The city quickly rescinded its 
policy, but for some time, its application form online still requested a listing of all 
websites that applicants used. 20 

Comment: Bozeman officials conceded that they went too far in requiring 
applicants to provide passwords, which might provide access not only to social 
networking sites but also to such protected activities as banking, medical services, 
and insurance. Nevertheless, Bozeman was at the forefront in asking applicants 
for their history of Internet use and being in a position to review postings that 
are public to confirm that applicants meet all the requirements of the position. 
Guidelines published by the International Association of Chiefs of Police (IACP), 
“Developing a Cybervetting Strategy for Law Enforcement,” 21 strongly suggest 
that employers should not ask candidates for passwords. Some police depart¬ 
ments ask candidates to log on to sites that they frequent and show their postings 
to applicant processors to ensure that they only publish content consistent with 
department policies. 


Due Process 

The US District Court for the District of Columbia enjoined the US Navy against 
discharging a US naval officer whose postings on AOL, a major ISP, appeared to 
embrace a gay lifestyle, and against using information obtained without process 
by a navy paralegal concerning the officer. The court held the government to a 
strict interpretation of the ECPA’s requirement for obtaining process (warrant or 
subpoena) to obtain the officer’s identity from AOL and opined that the officer’s 
public Internet postings did not constitute proper grounds for the investigation as 
conducted, in view of the Internet’s invitation to fantasy and anonymity. 22 

Comment : A central issue in this case was the Navy paralegal’s identification 
of the naval officer without due process through AOL. The court considered and 
commented on the public Internet postings that were the basis for the investigation. 
This decision may be an indication that it is not Internet postings alone that should 
constitute the basis for adjudications. In addition, the degree of misbehavior in such 
postings is pivotal in deciding whether they are leads for investigation, grounds for 
action, or the basis for adjudications that could be adverse to the subject. This is 
one of only a few cases involving the adverse use of Internet postings to be litigated. 


Copyrighted material 



104 ■ Cybervetting 


In Raytheon Company v. John Does 1-21 , 23 Raytheon succeeded in identifying 
21 employees who violated company policy and their employment contracts. On 
February 1, 1999, Raytheon filed suit against 21 employees it alleged had posted or 
discussed confidential corporate information on a Yahoo message board, in viola¬ 
tion of their employment contracts and Raytheon’s published employment policy; 
Raytheon claimed, in addition, that this conduct constituted a misappropriation 
of Raytheon’s trade secrets. To identify the “John Does,” Raytheon obtained a 
court order allowing its counsel to take out-of-state discovery from Yahoo, AOL, 
EarthLink, and various other ISPs, seeking documents and information identify¬ 
ing the 21. 

Analysis'. By framing its lawsuit primarily as a breach-of-contract action, 
Raytheon limited the defendants’ ability to rely on a “free speech” defense because 
typically if an employee has signed a contract that specifically precludes disclo¬ 
sure of trade secrets or other confidential corporate information, the availability 
of that defense is limited to “whistle-blower” cases. In addition, it is possible that 
any jurisdictional defenses normally available to defendants outside Massachusetts 
may have been limited or eliminated by the terms of the employment agreements. 

The privacy issue raised by the out-of-state discovery from Yahoo, AOL, and 
the ISPs—the right of the authors to remain anonymous, if you will—is limited. 
To access Yahoo’s message board and post, the authors each agreed to the terms 
and conditions set forth in Yahoo’s “term-and-conditions” agreement concern¬ 
ing the use of the message board, including providing Yahoo with a valid e-mail 
address and to the terms and conditions of their ISP. Yahoo’s message board dis¬ 
claimer stated that although Yahoo will take reasonable measures to respect the 
privacy of users, Yahoo reserves the right to turn over user identification informa¬ 
tion if Yahoo in good faith believes that disclosure is necessary in certain cir¬ 
cumstances, including to comply with legal process or the law. After being served 
with Raytheon’s subpoena, Yahoo apparently provided Raytheon with the authors’ 
e-mail addresses or other information. In May 1999, Raytheon dismissed the law¬ 
suit after several of the identified employees had apparently resigned. 

Comment'. The contracts used by Raytheon are analogous to the notice and 
consent that are appropriate for notice to and consent of applicants for jobs and 
clearances. Such procedures are appropriate not only to add Internet searching to 
existing background investigative checking but also to send a clear message to can¬ 
didates and employees that proper use of information systems is a vital requirement 
of the job. An individual with a history of improper computer use is more likely to 
misuse an employer’s systems or to post items damaging to the employer. In this 
case, the Raytheon employees made the offending anonymous postings in violation 
of their confidentiality agreements and employment contracts. Should a prospective 
candidate have a similar history of postings harmful to his or her employer, the can¬ 
didate’s judgment and integrity (and therefore eligibility for a clearance) would be 
called into question. Better to deter an applicant before incurring the expense of hir¬ 
ing than to risk suffering a loss because the applicant misuses information systems. 


A New Jersey court dismissed an initial and amended claim of violation of pri¬ 
vacy by state employees subject to financial disclosure whose disclosure forms 
were posted on the Internet. The court twice ruled that there was no “difference 


Copyrighted material 



Litigation ■ 105 


of constitutional magnitude” between prior publication in hard-copy form and 
publication on the public Internet, even with employees’ names and addresses 
posted for anyone to see. 24 

Comment : This ruling may have relevance in that Internet postings by other 
parties about an applicant may be usable in investigation and adjudication pro¬ 
cesses, even if the applicant claimed that the data were posted without his or 
her consent. 


Courts are still struggling with attribution and authentication where postings, 
especially those found on social networking websites, are concerned. In a number 
of criminal and civil cases, courts have accepted into evidence content allegedly 
downloaded or printed from profiles, communications, and the like. Because of a 
lack of detailed evidentiary standards for authenticating content, courts have over¬ 
looked the possibilities of hacking, falsification of content, inadequate protections 
against postings by others, and similar issues that arise because of the technologies 
involved. 25 In reality, authentication of online information as evidence will need to 
rely on more rigorous standards than mere circumstantial indicators of authentic¬ 
ity. For example, a posting on a website that apparently belongs to an individual 
may not actually be made by that individual, but by anyone else with authorized or 
unauthorized access to the profile. Additional forensic evidence, such as an analysis 
of the computer used by a computer forensic examiner, or an admission of author¬ 
ship may be needed to verify authorship and the authenticity of online evidence. In 
such cases as employee or candidate vetting, prior to an adverse action, an employer 
would be well advised to seek an admission that the online information is what it 
seems before a final judgment. Online findings are generally intelligence or lead 
information first and should only be considered definitive after verification through 
the best-possible means available, including (in the case of a social network profile) 
account ownership, security, and authorship of a specific post. Otherwise, an indi- 
viduals due process rights may be violated. 


Libel/Defamation 

Federal and state courts have had numerous libel (defamation) suits brought 
against both named and anonymous posters of allegedly libelous materials online. 
Key findings have included the federal courts decision in Doe v. 2TheMart.com in 
2001, which held that the First Amendment protects the anonymity of Internet 
speech, and that use of a civil subpoena to ascertain the identity of those post¬ 
ing allegedly offensive remarks could have a significant chilling effect on Internet 
speech and thus the exercise of First Amendment rights. The court set out a list 
of criteria to be met so that a party could not intimidate critics into silence by 
using civil subpoenas to learn the identity of anonymous posters. 26 Such decisions 
also track Section 230 of the Communications Decency Act of 1996, 27 which 


Copyrighted material 



106 ■ Cybervetting 


immunizes “providers and users of interactive computer services” from liability for 
defamatory material posted by third parties. 

Although the decisions on libel and disputes over offensive Internet postings 
do not relate directly to Internet vetting of persons, they indicate that a court 
is unlikely to empower a party to use the civil court process to discover some¬ 
one’s identity and confront him or her for online behavior unless there is a serious 
offense and no other method is available. Note that when a person’s identity can 
be deduced from public postings (e.g., when two e-mail addresses or user identities 
appear in the same posting, attributed to the same individual), the expectation of 
privacy is not present because the Internet page is publicly accessible. 

Comment : Anonymous names were used to mask the true identities of persons 
in the libel suits reviewed, enabling speech unfettered by the discretion expected 
from a speaker using a true name. Attribution for offensive postings may not be dis¬ 
coverable unless the poster makes a mistake and allows an “anonymous” identity to 
be deduced. Availability of legal process (a warrant) may be called into question by 
the circumstances (e.g., the alleged damage done and the nature of the relationship 
between the ISP and the user in question). Ihe courts appear to make a distinction 
between evidence of offensive speech and that of felonious behavior. Even when a 
valid warrant enables discovery of the user’s registration information, investigators 
sometimes find that the identifying information is incomplete, false, or insufficient 
to identify the user. For example, large ISPs frequently change the Internet protocol 
(IP) address of users, and the IP address alone may not be enough to pinpoint a 
network user. If it is shown that an applicant has a prior history of anonymous post¬ 
ings of defamatory materials, serious questions of judgment, discretion, maturity, 
and adherence to enterprise standards could indicate ineligibility for employment. 


In Endicott Interconnect Technologies Inc. v. National Labor Relations Board , the 
US Court of Appeals for the District of Columbia overruled the National Labor 
Relations Board (NLRB), concluding that an employee’s dismissal for disparaging 
comments he made to a newspaper reporter and a message the employee posted to 
the newspaper’s website public forum, criticizing the owner’s managerial abilities, 
were so disloyal that they overcame collective bargaining rights enumerated in the 
National Labor Relations Act. 28 

Comment : The appeals court’s ruling took into consideration that First 
Amendment and labor law protections apply to public communications by employ¬ 
ees but said, “We conclude that White’s communications were so disloyal to EIT 
as to remove them from Section 7 s protection and that the Board erred in holding 
otherwise.” In my opinion, while the employee had a right to say publicly what he 
wished, the employer had a right to take appropriate action to protect its reputation 
and ability to function. 

This is consistent with the Supreme Court’s decision in Garcetti v. Ceballos 
(2006) that official communications made by public employees are not protected 
by the First Amendment and that public employers may discipline employees if 
official communications are deemed improper. 


Copyrighted material 



Litigation ■ 107 


Invasion of Privacy Torts 

Common law (tort law) invasion of privacy appears not to apply well on the Internet, 
based on established law and practice, according to Harvard’s Karl Belgum’s com¬ 
parison of three conflicting views of Internet privacy 29 and to Robert Sprague, 
writing in the Hofstra Labor and Employment Law Journal?® Four commonly rec¬ 
ognized types of invasion of privacy are misappropriation of the name or likeness 
for another’s commercial benefit, public disclosure of private facts, intrusion into 
seclusion, and “false light,” or untrue public attribution of views or circumstances. 
These “four common law torts are generally considered to be irrelevant when it 
comes to online privacy issues,” according to the review. The essential reason is that 
such claims have limited applicability because voluntary public posting of infor¬ 
mation about oneself is the norm, “and no consensus has emerged that time spent 
on the Internet constitutes time in ‘seclusion.’” Further, “on a more general level, 
the common law privacy torts fail to protect online privacy because they do not 
protect actions taken in public, and the Internet is arguably a public environment.” 

Comment : There is clearly room for invasion-of-privacy torts in which false 
information is posted to damage another’s reputation or a person’s name or like¬ 
ness is misappropriated for commercial use. Otherwise, there may be no legal or 
logical basis for civil privacy claims if data about someone are posted on the pub¬ 
lic Internet. 


In Oja v. US Army Corps of Engineers, a complaint that the corps had wrong¬ 
fully posted personal information about Oja on a government website was dis¬ 
missed and upheld by the US Ninth Circuit Court of Appeals because it was filed 
over 2 years after the first posting. Oja had asserted that every day constituted a 
renewed posting. The court applied the first publication rule, dating the posting 
when first placed online, relying on state laws on defamation for analogy, saying 
the ruling would uphold the provisions of the federal Privacy Act to “economizfe] 
judicial resources while preserving the plaintiff’s ability to bring the claims.” 31 

Comment : The Ninth Circuit’s application of the 2-year statute of limitations 
to Oja’s claim may raise some questions while answering others. Some claim that 
Internet postings can “live forever,” as cached copies can come back to haunt 
someone years after original postings, and continued posting increases the likeli¬ 
hood that the web page image will be preserved somewhere. The damage done by 
the content of an Internet posting can depend in part on the duration of its expo¬ 
sure and the number of people who view, copy, download, and share that content. 
Because the court dismissed the claim on technical grounds (i.e., that it was filed 
too late), the court did not address the underlying claim. 


Sanctions for Public Postings 

Increasingly, individuals are being sanctioned by employers, the courts, or others 
based on their public postings—which are correctly viewed as publications laid out 
in plain view of the public. A few examples follow. 


Copyrighted material 



108 ■ Cybervetting 


In Stacy Snyder v. Millersville University , the US District Court for the Eastern 
District of Pennsylvania upheld denial of an education degree and dismissed her 
suit demanding monetary damages. A photograph of Snyder with a pirate hat 
holding a beverage with the caption “drunken pirate” appeared on her MySpace 
page, on which she also included material regarding her student teaching assign¬ 
ment and otherwise violated university policies. The court found that Millersville 
University appropriately found her eligible for an English degree rather than a 
teaching certification, dismissing her claims of First Amendment and other viola¬ 
tions and demand for monetary damages. 32 


In 2009, Vaughan Ettienne, a New York police officer with many online postings, 
including his own body-building profile, testified against Gary Waters, a parolee 
whom Ettienne arrested after chasing him through Brooklyn, New York, on a 
stolen motorcycle for felony possession of a handgun and ammunition. Officer 
Ettienne had undergone a workplace suspension for testing positive for steroids. 
At trial, the defense attorney confronted Officer Ettienne with excerpts from his 
MySpace profile, which contained provocative statements such as “Vaughan is 
watching Training Day to brush up on proper police procedure” (a reference to 
a 2001 movie portraying a corrupt Los Angeles police detective) and comments 
about how an officer could rough up a cuffed suspect. The defense alleged that 
Officer Ettienne had gone into a steroid-induced rage, which could have caused 
him to assault Waters, and in an effort to justify excessive force, Officer Ettienne 
planted a 9-millimeter Beretta on Waters. The jury acquitted Waters of the felony 
possession charge but found him guilty of the misdemeanor of resisting arrest. 
Officer Ettienne was quoted as saying about the acquittal, “I feel its partially my 
fault,” and about the online profile, “It paints a picture of a person who could be 
overly aggressive.” 33 


In Cromer v. Lexingto?i-Fayette Urban County Government , Case No. 20088- 
CA-000698, 2009 KY App., a Lexington, Kentucky, police officers dismissal for 
unacceptable MySpace postings was upheld on appeal. The officer had arrested a 
well-known singer for driving while intoxicated (DUI), which caused an increase 
in visitors to the officers MySpace page. The dismissal noted that Cromer had 
identified himself on his profile as a Lexington police officer in word and image 
and posted materials that brought discredit and disrepute to the police, including 
profane language; disparagement of homosexuals and the mentally disabled, as 
well as the people and city of Lexington; inappropriate comments on the use of 
force; a photo of the officer with the singer after the arrest for DUI; an instance in 
which he did not arrest a friend for DUI; and other derogatory items. 34 


Internet Privacy for the Twenty-First Century 

Robert Sprague, an assistant professor at the University of Wyoming’s College of 
Business, contributed an excellent review of the law and the evolution of privacy 
protection in America in the Hofstra Labor and Employment Law Journals Among 
the relevant issues treated were the following: 


Copyrighted material 



Litigation ■ 109 


■ “Essentially no protection” of applicants’ privacy when prospective US 
employers use the Internet to investigate them, especially when someone self- 
publishes on the Internet in a blog or social networking profile. 

■ However, publicity given to private facts (e.g., intimate details of ones private 
relationships revealed publicly) could be tortious. 

■ “Certainly no one can complain when publicity is given to information about 
him which he himself leaves open to the public eye.” “Current privacy law 
suggests that a job applicant who posts embarrassing or personal information 
on a blog or within a social networking site which can be accessed by any¬ 
one with an Internet connection should have no expectation of privacy, and 
therefore, no recourse, when that publicly-available information is viewed, 
and potentially used, in an employment decision.” Sprague cited cases that, 
although not specifically about preemployment Internet vetting, neverthe¬ 
less upheld the principle that postings that are public cannot be held to have 
privacy protections (citations are included in Note 30). 

■ Several states protect as private “lawful conduct” that is off duty and does 
not involve the employer. Litigation generally supports the employer when the 
employee conduct has an impact on the employer adversely and supports the 
employee when the employer uses non-job-related off-duty conduct to sanction. 

Sprague addressed the conflict between those using the Internet with the intent 
to share intimate or potentially objectionable materials only with a small group 
and the millions who can see such materials on the public Internet (i.e., a desire for 
relative confidentiality vs. wide access). He said: “Even though information pub¬ 
lished on the Internet is potentially accessible by millions of people, from a practical 
standpoint, only a few people may actually view the information. And that is often 
the intent of the publisher of the information.” He suggested that protecting confi¬ 
dentiality, if not privacy, is a goal that might be achieved as follows: 

Because current privacy laws will not protect Internet information, perhaps the 
lawful conduct statutes provide a good start to protect that information. Many 
of these statutes are incorporated into states’ antidiscrimination prohibitions. 

The Internet provides employers the opportunity to learn a substantial amount 
of information they would otherwise be prohibited from asking (such as religion, 
disability, marital status) in a typical employment interview. Even if an employee 
were to volunteer such information during an interview, the employer is still pro¬ 
hibited from using it in the hiring decision. But, there is no way to know if an 
employer has used the same information gleaned from an Internet search in decid¬ 
ing whether even to interview an applicant. 

One way to protect job applicants from the content of their Internet infor¬ 
mation would be to amend lawful conduct statutes to prohibit employers from 
using publicly available personal information that could be obtained through an 
Internet search in their hiring decisions. As an alternative, or in addition, personal 
information obtained by employers through an Internet search could be treated as 
credit reports. Under this model, employers could be prohibited from acquiring 


Copyrighted material 



110 ■ Cybervetting 


personal information that could be obtained through an Internet search without 
first informing the applicant in writing and would be required to inform the appli¬ 
cant if this information was used as part of an adverse decision, as well as provide 
the applicant with a copy of the information found and used. This last requirement 
would at least inform the applicant there was possibly damaging information on 
the Internet so steps could be taken to remove, alter, or correct the information. 

Comment : Although it is disputable whether publicly posted information 
deserves some level of privacy based on the intent of the poster, it is a cogent 
suggestion to address fair treatment of Internet-collected information along with 
all other information used in hiring and employment decisions. The Fair Credit 
Reporting Act (FCRA) and nondiscrimination rights exist, even if an employer 
elects to risk circumventing them. Putting the investigative results of cybervet¬ 
ting into the same category as checking private data repositories seems the right 
thing to do and probably would not require changes to current law. Explicitly 
notifying applicants and employees when checks of the Internet will be done, and 
when adverse decisions are based on Internet search findings, fits neatly within 
extant, objective, fair FCRA criteria. Creating a right in law that public informa¬ 
tion must be ignored—even job-related derogatory information—does not seem 
well founded or likely to gain general support. 


In a recent federal criminal prosecution, the legal theory was advanced that the 
accused adult violated the Computer Fraud and Abuse Act—unauthorized use of 
a computer system—because she violated the MySpace user agreement by assum¬ 
ing a fictitious teenage identity to harass a teenager, who subsequently committed 
suicide. 36 The accused woman was convicted for misdemeanors under what was 
called the first US cyber bullying case. 37 Although the legal theory remains con¬ 
troversial, and this area of Internet law could be described as somewhat fluid, the 
general practice of users on MySpace and similar social networking sites is to use a 
“false” pseudonym, and the sites encourage the practice. 

Comment : It is common for user agreements to forbid access to a website for 
an illegal or unauthorized purpose (e.g., misappropriation of other users’ iden¬ 
tifying data, other site content, or spamming). 38 However, it is doubtful that a 
claim based on a user agreement between the investigator and the website would 
prevent an employer from using data posted on a website in an adverse finding 
about the subject for bad conduct. Where a claim could arise is if an investigator 
elicited information from or about a subject by fraud (e.g., pretended to be the 
subject or a friend to see privacy-protected social network postings). However, 
mere misrepresentation would not be equally actionable (e.g., if the investigator 
gained access to the subject’s privacy-protected postings by misrepresentation as a 
“new friend” voluntarily admitted by the subject). If a subject could claim a viola¬ 
tion of the subject’s privacy by the investigator, it could render the adverse use of 
the information found by the investigator improper. It appears that the investiga¬ 
tor can use information that the subject posts openly. However, the investigator 
must collect posted information by legal means (which could include deception 
that is not illegal or unethical). A subject might use the argument that a user 
agreement prevents any investigative use of a social site posting, but because the 
posting is visible to hundreds of millions of people, the basis for such a claim 
would be questionable. 


Copyrighted material 



Litigation ■ 111 


Admissibility of Electronically Generated 
and Stored Evidence 

Todd Shipley, an expert in Internet and computer forensic investigations, has writ¬ 
ten seminal articles 39 on collection of electronic evidence, also known as electroni¬ 
cally stored information (ESI), and (in part) noted: 

The procedures outlined in Lorraine v. Markel American Insurance 
Co. [see following discussion]. In that case, the magistrate denied the 
admission of ESI, but outlined how the evidence should have been 
properly admitted. Of particular note is his discussion of ESI authen¬ 
tication including the use of hashing (digital fingerprints), ESI meta¬ 
data, and the collection of data in its “native format.” The decision, 
more than any other existing case, outlines clear guidance for the 
admission of electronic evidence in a federal civil case. Thus, it can be 
considered a partial road map for development of a standard meth¬ 
odology for Internet forensics and its successful admission in court. 

In the Lorrame v. Markel case cited, a thorough discussion of how to authenti¬ 
cate ESI included such common Internet artifacts as e-mail and website images or 
documents introduced into federal civil courts as evidence. The magistrate outlined 
ways in which ESI may be accepted into evidence in a 101-page legal memoran¬ 
dum. 40 A summary of the memos guidance follows: 

ESI comes in multiple evidentiary “flavors,” including e-mail, website ESI, 
Internet postings, digital photographs, and computer-generated documents 
and data files. The following evidence rules must be considered: Is the ESI 

1. Relevant as determined by Rule 401 (does it have any tendency to make 
some fact that is of consequence to the litigation more or less probable 
than it otherwise would be?); 

2. Authentic as required by Rule 901(a) (can the proponent show that the 
ESI is what it purports to be?)—authentication and identification ensures 
that evidence is trustworthy; 

3. Offered for its substantive truth, thus hearsay as defined by Rule 801, and 
if so, is it covered by an applicable hearsay rule exception (Rules 803, 804, 
and 807); 

4. An original or duplicate under the original writing rule, or if not, is there 
admissible secondary evidence to prove the content of the ESI (Rules 
1001-1008); and 

5. Of probative value and substantially outweighs the danger of unfair 
prejudice or one of the other factors identified by Rule 403, such that it 
should be excluded despite its relevance. 


Copyrighted material 



112 ■ Cybervetting 


The memorandum contains a list of cases in which admissibility of electronic evi¬ 
dence was an issue and the court decisions considered precedents or instructive on 
the issues involved. 


Trends and Legal Challenges to Investigative Searching 

In a Federal Register notice, the US Department of Homeland Security (DHS) 
stated that it will routinely monitor the public postings of users on Twitter and 
Facebook. The agency plans to create fictitious user accounts and scan posts of 
users for key terms. User data will be stored for 5 years and shared with other 
government agencies. The Electronic Privacy Information Center (EPIC) filed a 
Freedom of Information Act lawsuit against DHS on April 12, 2011, and obtained 
hundreds of pages of documents from DHS about its monitoring of social net¬ 
works and media organizations. EPIC subsequently campaigned in Congress and 
the press, claiming that DHS lacks legal authority and primarily wants to detect 
public criticism of the department, Ihe FBI issued a request for proposals for simi¬ 
lar Internet collection. 

Comment : Today’s criminal and civil courts, investigative dossiers, and files 
are replete with evidence derived from computer use by persons that relate to 
the cases, including data from the systems themselves, from postings on web¬ 
sites, and from ISPs and telecommunications firms providing services. It was 
inevitable that government and private agencies would seek to detect and pre¬ 
vent illegal, illicit, and otherwise-damaging activities by monitoring the web. 
Although advocates of strengthening terrorism and crime prevention on one 
side and those campaigning for greater privacy and protection from govern¬ 
ment intrusion on the other are bound to continue the debate over the balance 
necessary in a democracy, the legal boundaries of such investigations are as yet 
indistinct. Meanwhile, massive (“big data”) collection is programmed into the 
Internet, from browsers to websites to social networking applications, for mar¬ 
keting and customer feedback for business. Controversy over users’ ability to 
control commercial collection of their online activities still flares. These debates 
are likely to find their way into courts and legislatures for years to come. 


Although this chapter addressed the legal issues directly and tangentially related 
to cybervetting and Internet investigations, its main intent was to help establish a 
framework for principles that can be applied to the policies and practices needed to 
incorporate life online into the intelligence and security schema of life as we have 
come to know it. 


Notes 

1. Mullins v. Department of Commerce, U.S. Court of Appeals for the Federal Circuit, 
06-3284, appealed from U.S. Merit Systems Protection Board, http://www. 
ll.georgetown.edu/federal/judicial/fed/opinions/06opinions/06-3284.pdf (accessed 
August 10, 2010). 


Copyrighted material 



Litigation ■ 113 


2. Sinrod, Eric, Office of Duane Morris LLP, San Francisco, http://technology.findlaw. 
com/articles/00006/010851 .Html (accessed August 10, 2010); Sinrod, Eric J., From 
Googling to Firing? CNETNews.com, May 30, 2007, http:// www.duanemorris.com/ 
articles/article2527.html (accessed August 10, 2010). 

3. Pietrylo et al. v. Hillstone Restaurant Group , Docket No. 2:06-cv-05754 (D.N.J. 
2008), US District Court for New Jersey, Civil Case No. 06-5754 (FSH), July 24, 
2008, http://www.dmlp.org/threats/hillstone-restaurant-group-v-pietrylo (accessed 
January 20, 2014). 

4. Searcey, Dionne, Employers Watching Employees Online Stirs Policy Debate, Wall 
StreetJournal, April 23, 2009, http://online.wsj.com/article/SB 124045009224646091. 
html (accessed June 1,2010); Former Bartender and Waitress Sue One-Time Employer 
over Their MySpace Post, http://3lepiphany.typepad.com/ (accessed August 10, 2010), 
http://www.lawyersandsettlements.eom/settlements/l 3572/internet-privacy-laws- 
myspace-forums-forum.html#.Ut7fB_8o7IU (accessed January 21, 2014). 

5. Pettry, Michael T, supervisory special agent, FBI, presentation to International 
Association of Chiefs of Police, Legal Officers Section, September 29, 2012; http:// 
www.examiner.com/article/cop-demoted-for-posting-a-photo-of-an-obama-t-shirt- 
riddled-with-bullet-holes (accessed January 19, 2014). 

6. Ibid, case cited in presentation in Note 5. 

7. NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958), http://caselaw.lp.findlaw. 
com/scripts/getcase.pl?court=US&:vol=357&linvol=449 (accessed August 10, 2010). 

8. Griffin v. State of Maryland, Case No. 1132, Lash, Steve, Baltimore Daily Record, 
May 31, 2010, http://findarticles.eom/p/articles/mi_qn4 1 83/is_20 1 0053 1 / 

ai_n53902808/, http://mdcourts.gov/opinions/cosa/2010/11 32s08.pdf (accessed 
September 2, 2010). 

9. http://conservancy.umn.edu/bitstream/ 147600 / 1 /Au then ticat ion-of-Social- 
Networking-Evidence-by-Ira-Robbins-MN-Jou rnal-of- Law-Science-Tech-Issue-13-1. 
pdf, p. 27 (accessed January 22, 2014). 

10. Katz v. Ujiited States, 389 U.S. 347 (1967), http://caselaw.lp.findlaw.com/scripts/ 
getcase.pl?court=US&vol=389&:invol=347 (accessed August 10, 2010). 

11. Omnibus Crime Control and Safe Streets Act of 1968, http://www.justice.gov/crt/ 
split/42usc3789d.php (accessed August 10, 2010). 

12. Whalen v. Roe, 429 U.S. 589 (1977), http://caselaw.lp.findlaw.com/scripts/getcase. 
pl?navby=search&xourt=US&case=/us/429/589.html (accessed August 10, 2010). 

13. Smith v. Maryland, 442 U.S. 735 (1979), http://caselaw.lp.findlaw.com/scripts/getcase. 
pl?navby=search&court=US&case=/us/442/735.html (accessed August 10, 2010). 

14. Madden, Mary, et al.. Teens, Social Media, and Privacy, Pew Internet and American 
Life, May 2013, http://www.pewinternet.org/Reports/2013/Teens-Social-Media-And- 
Privacy/Main-Report/Part-2.aspx (accessed January 21, 2014). 

15. United States v. Maxwell, 45 M.J. 406 (1996), http://webcache.googleusercontent. 
co m/search?q=cache:http://www.armfor. uscourts.gov/opinions/1996Term/95_075l. 
htm (accessed cached copy August 10, 2010). 

16. United States v. Charbonneau, 979 F. Supp. 1177 (S.D. Ohio 1997), http://www. 
swlearning.com/blaw/cases/child_porn.html (accessed August 10, 2010). 

17. Davis v. Gracey, http://scholar.google.com/scholar_case?case=l6037774558711975401 
&q=Davis+v.+Gracey,+ l 1 l+F.3d+l472&hl=en&as_sdt=l 0002&as_vis=l (accessed 
August 10, 2010). 


Copyrighted material 



114 ■ Cybervetting 


18. United States v. Ziegler , 474 F.3d 1184 (9th Cir., 2007); see the following paper for 
reviews of similar actions: http://www.howardrice.com/uploads/content/Civil%20 
Actions%20For%20Privacy%20Violations%202007%20-%20Where%20 
Are%20We.pdf (accessed August 10, 2010). 

19. Konop v. Hawaiian Airlines, No. 99-55106, D.C. No. CV-96-04898-SJL (JGx), 2002, 
http://www.internetlibrary.com/pdf/Konop-Fiawaiian-Airlines-9th-Cir-Jan-8-01 .pdf 
(accessed September 4, 2010). 

20. Frommer, Dan, MontanaTown Demands Job Applicants’ Facebook Passwords, Business 
Insider SAI, June 19, 2009, http://www.businessinsider.com/montana-town-demands- 
job-applicants-facebook-pass-words-2009-6 (accessed September 4, 2010); Weinstein, 
Natalie, Bozeman to Job Seekers: We Won’t Seek Passwords, CNET, June 20, 2010, 
http://news.cnet.com/8301-13578_3-10269770-38.html (accessed September 4, 
2010); the posted city of Bozeman, Montana, application for employment asked for 
“any and all, current personal or business websites, web pages or memberships on 
any Internet-based chat rooms, social clubs or forums, to include, but not limited 
to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.” but not for passwords. 
http://privacy.org/Background_Check_Form_Interview_MASTER.pdf (accessed 
September 4, 2010). 

21. http://www.iacpsocialmedia.org/Portals/1 /documents/CybervettingReport.pdf 
(accessed January 20, 2014). The author co-authored this study. 

22. McVeigh v. Cohen , 983 F.Supp. 215 (D.D.C. 1998), http://www.netlitigation.com/ 
netlitigation/cases/mcveigh.htm (accessed August 10, 2010). 

23. Raytheon Company v. John Does 1—21 , Commonwealth of Massachusetts, Middlesex 
Superior Court, Civil Action 99-816, http://www.netlitigation.com/netlitigation/ 
cases/raytheon.html (accessed August 10, 2010). 

24. Price v. Corzine , 2006 WL 2252208 (D.N.J. 2006) and 2007 WL 708879 (D.N.J.). 

25. Robbins, Ira P., Writings on the Wall: The Need for an Authorship-Centric Approach 
to the Authentication of Social-Networking Evidence, Minnesota Journal oj Law , 
Science & Technology , Winter 2013, http://conservancy.umn.edu/bitstream/! 47600/1/ 
Authentication-of-Social-Netwo rking-Evidence-by-Ira-Robbins-MN-Journal-of-Law- 
Science-Tech-Issue-13-l.pdf (accessed January 22, 2014). 

2 6. John Doe v. 2TheMart.com , USDC C01-453Z, April 26, 2001, http://cyber.law. 
harvard.edu/stjohns/2themart.html (accessed January 21, 2014). 

27. Section 230 of 47 US Code, http://codes.lp.findlaw.eom/uscode/47/5/II/I/230 
(accessed August 10, 2010); Communications Decency Act of 1996, http://www.fcc. 
gov/Reports/tcoml 996.txt (accessed August 10, 2010). 

28. Endicott Interconnect Technologies v. NLRB , US District Court of Appeals, No. 
05-1371 and 1381, decided July 14, 2006, http://openjurist.org/453/f3d/532/ 
endicott-interconnect-technologies-inc-v-national-labor-relations-board (accessed 
September 4, 2010). 

29. Belgum, Karl G., Who Leads at Half-time? Three Conflicting Visions of Internet 
Privacy Policy, 6 Rich. J.L. Sc Tech. 1 (Symposium 1999), http://www.richmond. 
edu/jolt/v6i 1 /belgum.html, found at http://cyber.law.harvard.edu/privacy/ 
WhoLeadsatHalftime(Belgum).htm (accessed August 10, 2010). 

30. Sprague, Robert, Rethinking Information Privacy in an Age of Online Transparency, 
Hofstra Labor and Employment Law Journal\ 25: 395, 2009, law.hofstra.edu/pdf/ 
Academics/Journals/LaborAndEmploymentLawJournal/labor_vol25no2_Sprague. 


Copyrighted material 



Litigation ■ 115 


pdf (accessed March 29, 2010). Excerpts: “Certainly no one can complain when pub¬ 
licity is given to information about him which he himself leaves open to the pub¬ 
lic eye.” “Current privacy law suggests that a job applicant who posts embarrassing 
or personal information on a blog or within a social networking site which can be 
accessed by anyone with an Internet connection should have no expectation of privacy, 
and therefore, no recourse, when that publicly-available information is viewed, and 
potentially used, in an employment decision.” Footnotes: See, for example, Dexter v. 
Dexter , No. 2006-P-0051, 2007 WL 1532084, at *6 & n.4 (Ohio Ct. App. May 25, 
2007) (upholding custody for father where mother had posted on her MySpace page, 
among other online statements considered by the court, that “she was on a hiatus 
from using illicit drugs [during the trial] but that she planned on using drugs in the 
future. ... [T]hese writings were open to the public view. Thus, she can hardly claim 
an expectation of privacy regarding these writings.”); Sanchez Abril, Patricia, A (My) 
Space of One’s Own: On Privacy and Online Social Networks, Northwestern Journal 
of Technology & Intellectual Property, 73: 78 (2007) (“Categorically, everyone would 
agree that those who carelessly post shameful pictures of themselves or incriminating 
information on profiles that are accessible to everyone on the Internet cannot reason¬ 
ably claim privacy in their posting.”); Crawford, Krysten, Have a Blog, Lose Your Job? 
CNN Money.com, February 15, 2005, http://money.cnn.com/2005/02/l4/news/ 
economy/blogging (citing four cases of employees being fired for what they had posted 
online, observing that most noncontract employees are at will, meaning they can be 
fired at any point for any or no reason at all without any recourse and are there¬ 
fore extremely vulnerable to such employment actions); Simonetti, Ellen, I Was Fired 
for Blogging, CNET News.com, December 16, 2004, http://www.news.com/2102- 
1030_3-5490836.html?tag=st.util.print (“The official reason for my suspension [and 
eventual termination]: ‘inappropriate’ pictures. The unofficial reason (implied through 
an intimidating interrogation): blogging.”). 

31. Oja v. United States Army Corps of Engineers, 440 F.3d 1122 (9th Cir. 2006), Privacy 
Act of 1974 two-year statute of limitations, http://caselaw.findlaw.com/us-9th- 
circuit/1237864.html (accessed January 21, 2014). 

32. Stacy Snyder v. Millersville University et al., U.S. District Court for the Eastern District 
of Pennsylvania, Case No. 07-1660, decided December 3, 2008. 

33. Dwyer, Jim, The Officer Who Posted Too Much on MySpace, New York Times , 
March 11, 2009, http://www.nytimes.eom/2009/03/l 1/nyregion/l 1 about.html?_r= 
1 &pagewanted=print (accessed September 4, 2010). 

34. Cromer v. Lexington-Fayette Urban Co. Govt., #20088-CA-000698, 2009 Ky. 
App. Unpub. Lexis 71, http://www.aele.org/law/Digests/empl71.html (accessed 
September 4, 2010). 

35. See Note 30. 

36. Jesdanun, Anick, Using a Fake Name on the Internet Could Be Illegal, AP, May 
2008, http://www.newsfactor.com/story.xhtml?story_id=l 1100A799HN3&page=l 
(accessed November 2009). 

37. Steinhauer, Jennifer, Verdict in MySpace Suicide Case, New York Times, November 26, 
2008, http://www.nytimes.eom/2008/l l/27/us/27myspace.html (accessed April 20, 
2010). 

38. Based on review of MySpace, Classmates, Facebook, YouTube, Yahoo, Monster.com, 
Match.com, and Google privacy policy and user agreements. 


Copyrighted material 



116 ■ Cybervetting 


39. Shipley, Todd G., Collection of Evidence from the Internet: Parts 1 and 2, DFI 
News , http://www.dfinews.com/articles/2009/12/collection-evidence-internet-part-l 
(accessed November 27, 2013). 

40. Memorandum Opinion, in the United States District Court for the District of 
Maryland, Jack R. Lorraine and Beverly Mack, Plaintiffs, v. Markel American 
Insurance Company, Defendants, Civil Action No. PWG-06-1893, http://www.mdd. 
uscourts.gov/opinions/opinions/lorraine%20v.%20markel%20-20esiadmissibility 
%20opinion.pdf (accessed April 27, 2014). 


Copyrighted material 



Chapter 9 


International and 
Domestic Principles 


US and International Privacy Principles 

A large number of discussions, held in academic, government, and private venues 
over the past two decades, have resulted in generally recognized privacy principles 
originally incorporated in US statutes in the 1970s. For purposes of this text, the 
core principles first published in 1981 by the US Department of Commerce, 1 as 
amended with input from several sources, including the state of California and the 
Center for Democracy and Technology, deserve mention. 2 Based on considerable 
legal analysis and debate by privacy advocates, these principles are withstanding the 
test of time and litigation. It should be noted that US laws generally lack the privacy 
rights set out in Canadian, European, and Asian laws. Therefore, the principles 
represent useful guidelines for the proper collection and use of personally identify¬ 
ing information, including Internet information, about individuals. The principles 
are as follows: 

1. Notice to individuals when personally identifiable information is col¬ 
lected (awareness) 

2. Limits on use and disclosure of data for purposes other than those for which 
the data were collected (choice) 

3. Limitations on the retention of data 

4. Requirements to ensure the accuracy, completeness, and timeliness of information 

5. The right of individuals to access information about themselves 


117 


Copyrighted material 


118 ■ Cybervetting 


6. The opportunity to correct information or challenge decisions made, based 
on incorrect data (recourse) 

7. Appropriate security measures to protect the information against abuse or 
unauthorized disclosure (data security) 

8. Redress mechanisms for individuals wrongly and adversely affected by the use of 
personally identifiable information (enforcement, verification, and consequences) 

A Consumer Privacy Bill of Rights drafted and announced in 2013 by the White 
House 3 was a nonstarter in Congress, but it illustrated that there is some support for 
incorporating the principles outlined into US statutes. The US Government (USG) 
has established presidentially approved Adjudicative Guidelines for Determining 
Eligibility for Access to Classified Information (latest edition 2006, 32 CFR Part 
147), 4 which have existed in substantially the same form since President William 
Clinton signed them into effect in an executive order (EO) in August 1993. 
Currently, federal practices include notice, consent, verification, appeal, correction, 
and confidentiality, which directly conform to the privacy principles cited. In over 
45 years of involvement at various levels, from conducting background investiga¬ 
tions to overseeing security and counterintelligence in the federal agencies at the 
National Security Council, I have observed a passionate dedication—in profes¬ 
sionals involved in security, investigative, intelligence, clearance, and adjudicative 
work—to the rule of law, fair play, and the privacy principles listed. Because the 
adjudicative guidelines contain both behaviors of concern and mitigating factors to 
be considered in a determination of eligibility for access to classified information, 
they represent well-established benchmarks for any employer with a need to protect 
valuable intellectual property in the workplace or ensure the trustworthiness of 
those hired or cleared. 

A brief summary of the federal guidelines for determining eligibility for access 
to classified information (see Chapter 4) lists types of behavior that might be 
found by any investigative measure, including Internet searching. They are sub¬ 
stantive concerns that could, if verified, lead to denial of a clearance or a position 
of trust. The guidelines include foreign allegiance, influence, preference, or extrem¬ 
ism; illicit or unbalanced sexual behavior; dishonest or insubordinate personal con¬ 
duct; financial issues (i.e., irresponsibility or unexplained wealth); alcohol or drug 
abuse; untreated mental or emotional disorders; criminal conduct; mishandling of 
confidential information; and misuse of information systems. Any conduct demon¬ 
strating a recent or recurring pattern of questionable judgment, irresponsibility, or 
emotionally unstable behavior can itself be disqualifying. 

The federal guidelines focus on the reliability factor: An individual exhibiting 
prior misbehavior described in the guidelines may be a poor choice for a govern¬ 
ment position that requires loyalty, discretion, and good judgment. The guidelines’ 
preamble includes the following: “The adjudicative process is the carelul weighing 
of a number of variables known as the whole person concept. Available, reliable 
information about the person, past and present, favorable and unfavorable, should 


Copyrighted material 



International and Domestic Principles ■ 119 


be considered in reaching a determination.” The guidelines provide a series of fac¬ 
tors to be considered in assessing whether the acts in question should or should not 
disqualify an individual in a specific case from eligibility for a clearance, including 
these factors related to the behaviors: 

■ Seriousness 

■ doming, including start, completion, and recency (elapsed time) 

■ Number of repetitions (frequency) 

■ Likelihood of recurrence 

■ Voluntary reporting of the information about the behavior 

■ Promptness in efforts toward correction 

■ Truthfulness and completeness in responding to questions 

■ Willingness to seek assistance and follow professional guidance, if appropriate 

■ Resolution or likely favorable resolution of the security concern 

■ Demonstration of positive changes in behavior and employment 

■ Demonstration of proper motivation by complying promptly 

■ Unusual circumstances 

■ Conflict of interest 

■ Occurrence prior to or during adolescence with no evidence of subsequent 
conduct of a similar nature 

■ Potential to serve as a basis for coercion, exploitation, or duress (blackmail) 

■ Resolution plan with a signed statement of consent 

■ Successful completion of treatment 

Often, assessments addressing the possibility of mitigating factors can help 
adjudicators understand past mistakes that are unlikely to recur, such as common 
juvenile misbehavior. In an era when a candidate is as likely to act out online as in 
the physical world (perhaps more likely), it is important to consider such behav¬ 
ior in assessing the candidate, both for questionable conduct and for mitigation. 
Further, many enterprises should consider the orientation and training needed if 
a hiring or clearance decision is made, in the context of established authorized use 
policies, data sensitivity and value, vulnerability of information systems, and cul¬ 
ture of the enterprise. 

Today’s computer systems misuse issues include a variety of misbehaviors pre¬ 
viously seen in a much smaller, physical context, such as cyber bullying; stalking; 
offensive messaging (e.g., racist, sexually suggestive, vulgar, obscene, or discrimina¬ 
tory texts or images); and other forms of behavior that violate employee behavioral 
guidelines. Socially irresponsible behavior online can disrupt the workplace and 
subject the enterprise to accusations of harboring a hostile workplace environment. 
Although it is important to include these types of misbehavior in employee hand¬ 
books to discourage online and offline misbehavior, an employer has an affirmative 
obligation to prescreen, monitor, and enforce information technology (IT) system 
norms. When users’ actual online habits are unknown to managers because no 


Copyrighted material 




120 ■ Cybervetting 


attempt was made to discover the subgroup guilty of blatant violations of standards, 
the enterprise is vulnerable to charges of ignoring prehire indicators of unsuitabil¬ 
ity, or posthire, obvious misuse. 

Although not a part of the government clearance criteria, a principle that 
appears to be emerging in employment standards nationwide is the question of rel¬ 
evance to the duties of the position that past misbehavior may represent. In the case 
of Internet searching, any kind of prior misdeed could be found, from prior arrests 
to drug or alcohol abuse to unethical behavior . 5 If an Internet search revealed that 
the subject had engaged in cybercrime or computer-related illicit acts (e.g., piracy, 
counterfeiting, malware, spam, harassment), then a candidate whose job would 
include authorized access to a workstation on the employers network could be 
considered ineligible based on computer-related misbehavior. One of the prime rea¬ 
sons to consider Internet vetting as part of background investigations is that it is 
one of the few ways to ascertain whether the candidate can be trusted to use the 
employer’s information systems properly, and if special training and monitoring are 
needed, prior to entrusting access to the new hire. 

One observation about why more agencies and businesses have not implemented 
enhanced attempts to address information systems behavior issues in the application, 
interview, background investigation, orientation, and training processes is that the 
complexities of employment law, recruitment, and related issues act as deterrents. 
One aim of this book is to enable any enterprise to address the serious issue of prior 
computer systems misbehavior legally and ethically. The USG has recently started 
asking candidates for clearances whether or not they have engaged in forbidden 
uses of computer systems . 6 Based on legislation, privacy policy, and established per¬ 
sonnel practices, it is possible to add appropriate legal measures that are explained 
further in this book. A review of the relevant statutes and litigation revealed an 
exception to the privacy safeguards that could potentially limit employers’ use of 
data found on their own systems or elsewhere on the Internet. That exception is 
proper notice to the employees, contractors, and other users of the employers’ infor¬ 
mation systems, and consent from the same group, to access what legally belongs to 
the employers: systems, networks, and data owned by the employer. Because of the 
rapid development of technology and its ever-changing uses, the laws and customs 
that apply could be described as in a state of flux. However, prior agreement by 
employees and applicants, as well as others contracting with an enterprise, enables 
mutual understanding about how the owner intends to protect information and the 
systems on which it is kept and transmitted. 

The proliferation of mobile devices used for both work and personal activities 
has complicated employees’ views about what is private versus open to an employer. 
For example, an employee may keep online bank, brokerage, and e-mail accounts 
on a computer, and even on a cell phone, issued by the employer for work. Most 
employers tolerate a limited amount of time online to conduct personal business 
during the workday, but the sensitive personal information of the employee is now 


Copyrighted material 



International and Domestic Principles ■ 121 


hosted on the employers computers and handheld devices. Because many employ¬ 
ers issue mobile phones and tablets with which they can contact the employee using 
instant messaging, e-mail, or paging, obvious issues of employees’ sensitive personal 
data storage arise. When employees use their own cell phones and handhelds to 
receive personal e-mail and conduct other nonwork communications in the work¬ 
place, the data of the employer and employee may again be mixed. The “bring your 
own device” (BYOD) security issue is currently a hot topic for IT administrators 
and security staff. Having clear understandings between the employer and employ¬ 
ees about the limits of privacy and security for any information, communications, 
or Internet uses involving the enterprise’s computers, network, information, or data 
storage platforms can help set all parties’ expectations and may head off conflicts. 

The principle of notice and consent is also often applied to contractual agree¬ 
ments not to compete against an employer (during employment and often for a 
fixed period of time after leaving) and not to breach the confidentiality of propri¬ 
etary information without the employer’s prior consent. If an employee has cop¬ 
ies of an employer’s data, such as customer lists, on a portable computing device, 
the security of that data can be compromised both during and after employment. 
Anecdotal evidence, including lawsuits by enterprises to prevent ex-employees’ use 
of data collected on the job, suggests that this problem is increasing. If a candidate 
is in the habit of collecting, storing, using, and sharing files that belong to others 
(e.g., videos, music, and software obtained without a paid license), then the pro¬ 
spective employer would see in advance that the individual should be made aware 
of, and agree to, the employer’s standards for protection and use of proprietary data 
before being given unfettered access on the job. Further, just as employees have a 
right to expect the employer to protect personally identifying information (e.g., 
bank account data) residing on the employer’s systems, so the employer has a right 
to expect the employees to abide by data use restrictions in the workplace. 

An effective way to inform enterprise users and document terms of access to 
information systems is the notice or reminder posted on computer log-on screens, 
including the US Department of Defense’s banners, such as: 

You are accessing a US Government (USG) information system (IS) 
that is provided for USG-authorized use only. By using this IS, you 
consent to the following conditions: 

■ Ihe USG routinely monitors communications occurring on this IS, 
and any device attached to this IS, for purposes including, but not 
limited to, penetration testing, COMSEC [communications secu¬ 
rity] monitoring, network defense, quality control, and employee 
misconduct, law enforcement, and counterintelligence investigations. 

■ At any time, the USG may inspect and/or seize data stored on 
this IS and any device attached to this IS. 


Copyrighted material 



122 ■ Cybervetting 


■ Communications occurring on or data stored on this IS, or any 
device attached to this IS, are not private. They are subject to 
routine monitoring and search. 

■ Any communications occurring on or data stored on this IS, or 
any device attached to this IS, may be disclosed or used for any 
USG-authorized purpose. 

■ Security protections may be utilized on this IS to protect certain 
interests that are important to the USG. For example, passwords, 
access cards, encryption or biometric access controls provide 
security for the benefit of the USG. These protections are not 
provided for your benefit or privacy and may be modified or elim¬ 
inated at the USG s discretion. 

This log-on message clearly is USG centric, but any employer can craft an 
appropriate warning to users about the rules of systems to which they are granted 
access. Once users are notified by all appropriate means (e.g., employee handbook, 
orientation, training, and on-screen notices like the one presented), there is a rea¬ 
sonable expectation that most will follow the rules, and those who do not comply 
are clearly in the wrong—again, witness Edward Snowden and Robert Hanssen. 

Litigation concerning digital forensic evidence taken from computer systems 
by employers and law enforcement has produced a steady stream of case law that 
upholds the employers ownership of the systems, networks, and data and the rights 
of monitoring of and collection from those systems for any lawful purpose. Courts 
have almost universally upheld actions based on evidence found on enterprises’ 
computer systems provided for employees’ use. Claims centered on the employ¬ 
ees’ privacy rights, on reasonable expectation of privacy in the workplace, and on 
personal use of employers’ systems have favored the employer and the government 
over the employee. Rulings to date reportedly have all been in favor of employers 
who have established policies regulating how employees are to use work systems 
and who have notified employees that their use of employers’ systems constitutes 
consent to monitoring for security and compliance purposes. In some cases, this 
has included employees’ Internet use. A possible exception might be an employ¬ 
ee’s use of a personal (nonwork) e-mail system for private communications with 
an attorney . 8 


Government Standards 

The USG has long-established standards for personnel security, based on presiden¬ 
tial EOs, cabinet directives, and departmental/agency policies. The nucleus of US 
standards on classified information includes such documents as EOs on access to 
classified information, adjudicative guidelines for determining eligibility for access 
to classified information, personnel and information systems’ security policies and 


Copyrighted material 



International and Domestic Principles ■ 123 


procedures, and related directives. In addition, classified information is protected 
by the espionage statutes. Since September 11, 2001, the Homeland Security 
Presidential Directive and Patriot Act, among others, has focused on protecting 
US critical infrastructures. In the private sector, the Economic Espionage Statute 
of 1996, as amended, prescribes stiff 7 penalties (e.g., 15—30 years of imprisonment) 
for theft of intellectual property. Trade secrets statutes in many states mirror federal 
prohibitions against misappropriation of employers' data. 

Although further review of USG clearance standards for highly trusted persons 
is not necessary here, it is worthwhile to note that when protecting valuable and sen¬ 
sitive information, the most rigorous security measures, including in-depth vetting 
of candidates, are required. Similarly high standards apply for law enforcement and 
private security personnel. Todays enterprises, in both government and business, 
including critical infrastructures, often place invaluable information at the disposal 
of all authorized users of enterprise information systems. Since the early 1990s, 
security breaches in government and industry have increasingly involved comput¬ 
ers, both at work and at home. In truth, the full extent of the security problems 
that have arisen because of the greater amounts of time spent online at work and 
at home is as yet unknown. However, anecdotal evidence suggests that, in recent 
years, agencies and companies have been grappling with computer-related security 
issues that are more numerous and involve online behaviors previously not seen. As 
yet, government clearance procedures do not explicitly include Internet vetting or 
require preemployment disclosure of details of the candidates life online. 9 Many 
federal agencies, and some state and local law enforcement agencies, are finding evi¬ 
dence of Internet misbehavior in screening interviews and polygraph examinations 
and sometimes when background investigators Google candidates. It stands to rea¬ 
son that the established standards for clearances will require enhancements when 
Internet behavior is added as a focus in government background investigations, as 
a recent government study based on a notorious act of violence in a government 
workplace recommended. 10 

Executive Orders 12958, 12968, and 13231 contain the standards by which clas¬ 
sified information and critical infrastructures will be protected and by which 
individuals will be granted access to classified information. These orders do not 
directly address Internet vetting. EO 13231, Critical Infrastructure Protection in 
the Information Age (October 16, 2001), includes the following, in part: 

(a) The information technology revolution has changed the way busi¬ 
ness is transacted, government operates, and national defense is 
conducted. Those three functions now depend on an interdepen¬ 
dent network of critical information infrastructures. The protec¬ 
tion program authorized by this order shall consist of continuous 
efforts to secure information systems for critical infrastructure, 
including emergency preparedness communications, and the 
physical assets that support such systems. Protection of these 


Copyrighted material 



124 ■ Cybervetting 


systems is essential to the telecommunications, energy, financial 
services, manufacturing, water, transportation, health care, and 
emergency services sectors. ... 

(d) Recruitment, Retention, and Training Executive Branch Security 
Professionals. In consultation with executive branch departments 
and agencies, coordinate programs to ensure that government 
employees with responsibilities for protecting information sys¬ 
tems for critical infrastructure, including emergency prepared¬ 
ness communications, and the physical assets that support such 
systems, are adequately trained and evaluated. In this function, 
the Office of Personnel Management shall work in coordination 
with the Board, as appropriate. 

To date, most federal agencies have not included Internet vetting in standards 
established to evaluate the background of those who will be given access to clas¬ 
sified, law-enforcement-sensitive, or critical infrastructure information systems. 11 
Efforts to strengthen the critical infrastructures of the United States only rarely 
have placed special emphasis on personnel security and on the evolution needed 
in information systems security based on changing vulnerabilities, social behav¬ 
ior, and societal norms. Although observers are concerned about ethics online 
and the implications of increasing misuse of information systems, as yet there is 
no consensus that personnel security measures must move more quickly to adapt 
to evolving computer security vulnerabilities. Increased protection measures for 
the most essential of our critical infrastructures, the staff, have not been included 
in enhancements to security, even though they were deemed critical by the Joint 
Security Commission in its report redefining security to the secretary of defense 
and director of central intelligence on February 28, 1994, which called for “new 
strategies for achieving security within our information systems.” 12 Unfortunately, 
most of the new strategies have focused on automated self-protection of computer 
systems and not on the human element, including digital footprints of human 
actions online. 

The news media reported in the 2008 postelection, preinauguration period 
that then-President-elect Barack Obama asked potential candidates for high-level 
appointments to disclose their Internet identities (e-mail addresses, profiles, and 
nicknames) for their background vetting. 13 This requirement demonstrates the rec¬ 
ognition that those selected for responsible positions should not have a history of 
Internet activities or posted data that indicate they were involved in illegal, illicit, or 
socially unacceptable behaviors. Public Internet postings were considered too obvi¬ 
ous to overlook for cabinet- and subcabinet-level posts. Since the election, equal 
recognition of the same principle for other federal employees (even highly respon¬ 
sible officials, such as intelligence community and law enforcement members) has 
not emerged. 


Copyrighted material 



International and Domestic Principles ■ 125 


A search for explicit authority for the government to use open-source intel¬ 
ligence (including Internet vetting) when investigating candidates for access to 
classified information turned up little of value. Executive Order 12333, United 
States Intelligence Activities (December 4, 1981, as amended August 27, 2004), 
does authorize collection of “information that is publicly available or collected 
with the consent of the person concerned.” This is an exemption from prohibi¬ 
tions against the US intelligence community targeting of US persons (citizens and 
permanent resident aliens). The Federal Bureau of Investigation (FBI), other law 
enforcement agencies, and other state and federal agencies would also be authorized 
to collect information concerning any person suspected of a crime or who applies 
for employment or access to classified information. The reason why this standard 
has relevance is that modern norms of intelligence collection and background 
investigation include legally permissible Internet searching. Even the American Bar 
Association recommends Internet searching, noting that it can reduce the cost and 
improve the speed and results of legal research. 14 


Parallel Guidance: Internet Research Ethics 

When considering guidance for new types of activities, it is important to consider 
how ethics are applied in different but parallel endeavors. During the past 20 years, 
the behaviors of individuals and groups online have become subjects of study by 
sociologists, linguists, anthropologists, psychologists, and a host of other research¬ 
ers. Fascination with virtual worlds, new types of communication, and networks 
of people distributed across the globe, but connected by the power of the Internet, 
has attracted the attention of both serious and casual students of human behavior. 
Communities online have developed modes of existence and interaction all their 
own and created values that have moved researchers to recognize a variety of ethical 
approaches to their work. Based on published materials, these ethical approaches 
shed light on the issues, strong beliefs, and alternative approaches that should be 
considered by intelligence practitioners on the Internet. These ethical norms are 
covered in Chapter 10. 


Notes 

1. US Department of Commerce, Elements of Effective Self-Regulation for Protection 
of Privacy, National Telecommunications and Information Administration Discussion 
Draft, US Department of Commerce, 1998, http://www.ntia.doc.gov/reports/ 
privacydraft/198dftprin.htm (accessed August 10, 2010). 

2. Dempsey, James X., executive director, Center for Democracy and Technology, testi¬ 
mony to U.S. Senate Committee on the Judiciary, April 13, 2005, and California state 
privacy principles, http://www.cdt.org/privacy/guide/basic/generic.html and http:// 
www.privacyrights.org/ar/princip. htm (accessed March 13, 2010). 


Copyrighted material 



126 ■ Cybervetting 


3. The White House, Washington, DC, Fact Sheet: Plan to Protect Privacy in the Internet 
Age by Adopting a Consumer Privacy Bill of Rights, http://www.whitehouse.gov/ 
the-press-office/2012/02/23/fact-sheet-plan-protect-privacy-internet-age-adopting- 
consumer-privacy-b (accessed January 28, 2014). 

4. Adjudicative Guidelines for Eligibility for Access to Classified Information Summary, 
http://www.state.gov/rn/ds/clearances/60321.htm (accessed August 10, 2010). 

5. Based on tens of thousands of Internet searches conducted by my firm. 

6. Questionnaire for National Security Positions, Standard Form-86, Section 27 questions, 
Use of Information Technology Systems, http://www.opm.gov/forms/pdf_fill/sf86.pdf 
(accessed August 10, 2010). 

7. Copied in April 2008 from a Defense Personnel Security Research Center computer 
system banner log-on screen. 

8. Westmoreland, Jill, Minimizing Employer Liability for Employee Internet Use, Los 
Angeles Business Journal, July 31, 2000, http://www.thefreelibrary.com/Minimizing 
+Employer+Liability+for+Employee+Internet+Use-a063986324 (accessed August 10, 
2010). This article contains good advice about an employers need to notify and obtain 
consent from employees regarding monitoring of their online behaviors. Marina 
Stengart v. Loving Care Agency, Inc., New Jersey Court, A-16-09, ruled that Stengart has 
a reasonable expectation that personal e-mails to and from her attorney would remain 
private, although copies were on her workplace computer, http://lawlibrary.rutgers. 
edu/courts/supreme/a-l6-09.opn.html (accessed May 5, 2010). 

9. Dinan, Stephen, Rules that Bar Feds from Trolling Facebook, Twitter Could Have Weeded 
Out Snowden, The Washington Times, March 16, 2014, http://p.washingtontimes. 
com/news/20l4/mar/l6/ (accessed March 18, 2014). 

1 0. Report to the President, Suitability and Security Processes Review, February 2014, The 
White House, Washington, DC, http://www.whitehouse.gov/sites/default/files/omb/ 
reports/suitability-and-security-process-review-report.pdf (accessed March 26, 2014). 

11. Dinan, Rules (Note 9). 

12. Redefining Security, A Report to the Secretary of Defense and the Director of Central 
Intelligence, February 28, 1994, Joint Security Commission, Washington, D.C. 

13. Hurwicz, Macy, Barack Obama Staff to Have Email and Facebook Vetted, Telegraph, 
November 13, 2008, see http://www.telegraph.co.uk/ news/3453916/Barack-Obama- 
staff-to-have-email-and-Facebook-vetted.html (accessed August 10, 2010). 

14. Bliss, Lisa R., Using the Internet to Save on Legal Research Costs, American Bar 
Association Litigation News, July 10, 2009; recommends using Internet searching to 
reduce legal research costs to ascertain data about cases, background information, 
media coverage, and blog entries about cases and parties, but verifying findings. See 
http://www.abanet.org/litigation/litigationnews/top_stories/legal-research-costs- 
internet.html (accessed August 10, 2010). 


Copyrighted material 



Chapter 10 

Professional Standards 
and the Internet 


Introduction 

Laws are designed to deliver public safety and privacy and ensure human rights. 
Ethical and behavioral standards are created to carry out laws and regulations and 
ensure that fairness, openness, and choice (among other values) are employed in 
professional endeavors. One problem with using relatively new criteria to judge 
eligibility, capability, and past behavior is that the law is slow to catch up, and 
the ethical standards and guidelines that normally follow the law are even slower 
to develop. Internet vetting, when addressed in the few standards and guidelines 
where it is mentioned, has been discouraged because of the issues that inexpert 
collection, assessment, reporting, and adjudication of Internet search results can 
engender. A review of the most important guidance available is revealing and 
instructive and shows that this emerging area of standards is at an early stage of 
development. Blogs, chats, discussion forums, networking sites, game sites, mutual 
interest groups, and massively multiplayer online role-playing games (MMORPGs) 
present a rich panorama of different types of human interaction; varied “ground 
rules” in access, privacy, and use; and a challenge for those seeking to impose a 
definitive set of ethical tenets for those involved. 

As difficult as it seems for lawyers and ethicists to address guidance (not really 
surprising because their focus is steeped in traditional authority, from times long 
before the Internet), it is strange that those studying the Internet in depth have yet 
to be consulted for the guidance necessary. If we wait for the lawyers, how much 
risk will be absorbed by enterprises unable to react in “Internet time”? Authorized 


127 


Copyrighted material 


128 ■ Cybervetting 


use and privacy policies of the websites themselves provide a starting point and are 
only now being used to enforce requirements for users, over 21 years after the explo¬ 
sion of the use of the Internet. At this time, it is especially important to understand 
the medium and adopt a practical policy for addressing the legal and ethical issues 
without waiting for uninitiated legalists to reach final conclusions. After all, they 
are bound to go to court to litigate unresolved issues (or raise new issues about 
resolutions found). We should start with the standards that exist. 


ASIS Standards 

ASIS International, an organization of over 38,000 security management pro¬ 
fessionals worldwide, provides internationally recognized standards on various 
security topics. In February 2008, ASIS published its Preemployment Background 
Screening Guideline , which in 2009 was reviewed and updated. 1 The following is a 
summary (in my words, not the copyrighted ASIS version) of the guidelines’ con¬ 
tents on Internet vetting: A new trend is the use by employers of online searches on 
applicants. Employers should approach online searches with caution because 

■ Postings may include information not intended for an employer to see, access 
to which may be controlled by passwords, terms of use, and privacy laws and 
policies. Although anything on the Internet may be considered public, posted 
materials may be intended for private use only. 

■ Employers or recruiters doing background checking on the Internet are not 
required to abide by the Fair Credit Reporting Act (FCRA), as are contracted 
investigators, so an applicant may not be notified when Internet data are used 
in an adverse decision (and will not find out that it was based on what was 
found online). 

■ Unlawful discrimination in hiring could occur if an employer used protected 
status under equal employment laws (e.g., race, religion, age) as the basis for 
an adverse decision. 

■ Job requirements should guide an employer’s consideration of online content. 

■ Internet postings may be difficult to attribute to an individual because of 
shared virtual identities, false postings, unverified name match, or malicious 
posting of deceptive material. 

The ASIS guideline deserves a detailed analysis because it is accepted as a stan¬ 
dard by a large number of businesses and some government agencies. Although 
the volunteers who oversaw the composition of the guidelines (like other ASIS 
standards and guidelines) worked conscientiously and diligently to create consen¬ 
sus on baseline principles, their conclusions about the Internet, legal questions, 
and relevant privacy issues did not include mention of dissenting but authoritative 
views. Even though the ASIS guide adopts a legal approach designed to protect 


Copyrighted material 



Professional Standards and the Internet ■ 129 


employers against potential lawsuits for using Internet vetting, it eschews adoption 
of an Internet search methodology adequate to protect employers against online 
misbehavior by candidates and designed to protect an employer against negligent 
hiring (which could occur if easily found Internet postings are ignored). The ASIS 
guideline fails to address the proper, legal manner in which Internet vetting could 
be accomplished, while discouraging such vetting. Meanwhile, it appears that 
an increasing number of employers conduct Internet searches on applicants for 
employment. According to a June 2009 CareerBuilder.com survey of over 2,600 
hiring managers, 2 45% (up from 22% in 2008) checked social networking sites to 
find out information regarding potential candidates, and 35% reported finding 
data on social networking sites that caused them not to hire candidates. A 2013 
survey by HireRight 3 found that employers using searches of social networking 
sites in background screening fell from 24% in 2012 to 21% in 2013, and 61% of 
employers surveyed used social networking sites for recruiting. A June 2013 study 
by CareerBuilder showed that 

nearly 39 percent of employers use social networking sites to research 
job candidates, up from 37 percent last year. Of those, 43 percent said 
they have found information that factored into their decision not to 
hire a candidate—such as provocative or inappropriate photos and dis¬ 
criminatory comments related to race, gender or religion or the like— 
while 19 percent said they have found information that influenced their 
decision to hire a candidate—such as evidence of great communica¬ 
tions skills and a professional-looking profile. 4 

The ASIS guidance appropriately says “approach with caution” but does not address 
appropriate ways to deal with what employers are finding online (i.e., clearly inap¬ 
propriate behaviors disqualifying to candidates) and the unanswered question of 
how best to employ cybervetting. 

The ASIS guideline expresses concern about the possible risk to someone’s pri¬ 
vacy if an employer accesses material that “a person did not intend for an employer 
to view.” It is not clear where ASIS found the legal principle that says a person’s 
intent about access to and use of publicly available information supersedes an 
employer’s right to view it and take it into consideration. Public Internet postings 
are not protected in law, and a right to privacy is not ascribed to someone’s publicly 
visible, illegal, illicit, or offensive behavior. An employer might find it difficult to 
defend the hiring of someone whose Internet profile notoriously featured illegal, 
illicit, or offensive behavior. The guideline fails to weigh the possibility that an 
arrogant or ignorant person boldly can post evidence of his or her ineligibility— 
and the employer should consider it. Employers include government, law enforce¬ 
ment, and private-sector entities whose staffs must be able to meet the highest levels 
of scrutiny. Unfortunately, I have seen numerous instances in the past 4 years of 
illegal, illicit, and antisocial behaviors posted on the public Internet for anyone to 


Copyrighted material 



130 ■ Cybervetting 


see. Fortunately, we found many of them in time to help protect employers against 
clearly unqualified persons. 

It is true, as the ASIS guideline said, that an employer need not abide by the 
FCRA when the employer (and not a consumer reporting agency) checks the 
Internet, declines to hire the person, and does not notify the applicant of the rea¬ 
son. Under the FCRA, it is within the employer’s legal rights not to notify the 
person when any investigation is conducted in-house. Although in an ideal world, 
applicants would be able to find out why they are not hired, there are many legiti¬ 
mate reasons why an employer may choose not to hire someone. Most employers 
will disclose the reasons if the applicant merely asks. Provisions of the FCRA do not 
directly address Internet vetting. An employer or contract background investigator 
can abide by FCRA and still conduct Internet vetting legally and properly using 
the correct approach. 

The ASIS guideline raises the possibility of discrimination under Title VII of 
the Equal Rights Act of 1964 if Internet vetting is done. Title VII describes the 
grounds that would be illegal reasons to deny employment, such as racial, sex, or 
religious discrimination. A decision not to hire based on an Internet search has no 
relationship with Title VII, which does not address Internet vetting. Only if the 
employer discriminates as defined in the law would the employer be in violation of 
Title VII, whether or not an Internet search occurred. Internet vetting itself is not 
a discriminatory act, but a decision made to hire or not to hire, based on a prohib¬ 
ited factor found in a search, could be discriminatory. Items found in preemploy¬ 
ment interviews of a candidate, previous employers, educators or references, records 
reviewed, or similar screening collection could also include discovery of potentially 
discriminatory factors. Protected classes should not be identified as such in reports 
of Internet investigations (or any other type of background screening report, 
exactly as required for traditional background investigations). Employers should 
use policies and procedures that ensure candidates fair, nondiscriminatory treat¬ 
ment, regardless of the methods used to collect information about the applicants. 

The ASIS guideline raises a valid question about the relevance of Internet search 
results to job requirements. A candidate’s prior misbehavior online can certainly 
be an indicator of future information systems misuse during employment, as can 
illegal or illicit behavior that an employer wishes to avoid in selecting applicants for 
employment. In a recent case, we found that a person had been hired to a senior 
research position after an extensive and expensive effort by the employer to find the 
most qualified candidate. The person hired had hidden the fact that he had been 
sanctioned by the government for scientific misconduct in research, to which he 
had admitted. Government records, when first checked, contained no reference to 
the punishment or misconduct. An Internet check revealed government publica¬ 
tions saying that the individual had been prohibited from government research 
contracting for 3 years. In this case, the employer had incurred tens of thousands 
of dollars in recruitment, hiring, and other expenses, when a simple Internet check 


Copyrighted material 



Professional Standards and the Internet ■ 131 


prior to finalizing the hire could have revealed the misconduct and the lack of can¬ 
dor by the candidate. 

The ASIS guideline raises the issues of identification and attribution but 
omits the issue of seriousness (because often juvenile postings are humorous and 
exaggerated). These are key concepts for employers considering Internet searching 
as part of background investigations. Identifying which references may refer to the 
subject, may be posted by someone “spoofing” or masquerading as the subject, or 
may represent a fantasy or an untruth requires careful analysis. A recent contestant 
on a national TV talent show admitted that photos of her in underwear on the 
Internet were genuine, but she was slandered by other, pornographic photos that 
were doctored to include her image and were unscrupulously posted. Producers 
recognized the difference after a cyber investigation. It is important that investiga¬ 
tors and adjudicators exercise great care in using the findings of Internet searching. 
Like analyses of all investigative results, online data may or may not be factual or 
relevant. Investigators and employers must make proper use of items collected from 
the Internet for any finding to play an appropriate role in an application or clear¬ 
ance process, just as they must with any other source of potentially derogatory data. 
Critical information maybe missed without Internet searching. Through cybervet¬ 
ting employing proper procedures, the employer will reap the reward of identifying 
prior behavior that needs to be addressed, whether the candidate is hired, cleared, 
retained, or not. It should be noted that based on my experience and two recent 
studies, 9% to 31.5% of subjects of cybervetting will have potentially derogatory 
findings, while most results will reflect positively on, or be neutral to, a candidacy. 


National Association of Professional 
Background Screeners 

The National Association of Professional Background Screeners (NAPBS), founded 
in 2003 as a nonprofit trade association, represents the interest of companies offering 
tenant, employment, and background screening. NAPBS promotes ethical business 
practices and compliance with the FCRA and fosters awareness of issues related to 
consumer protection and privacy rights within the background screening indus¬ 
try. Members must abide by the standards and code of conduct and go through 
an accreditation process. The following standards from the NAPBS Member and 
Accredited Agency Codes of Conduct call for individual members and agencies to 5 

1. Perform professional duties in accordance with the law and the highest moral 
principles and the BSAAP (Background Screening Agency Accreditation 
Program) Accreditation Standard. 

2. Observe the precepts of truthfulness, honesty, and integrity. 

3. Be faithfu 1, competent, and diligent in discharging professional responsibilities. 


Copyrighted material 



132 ■ Cybervetting 


4. Be competent in discharging professional responsibilities. 

5. Safeguard confidential information and exercise due care to prevent its 
improper disclosure. 

6. Avoid injuring the professional reputation or practice of colleagues, clients, 
or employers. 

However, nothing in this code limits a member from engaging in fair, competitive 
business practices. 

The NAPBS approach depends on the FCRA standards, 6 which are worth a 
second look: 

The FCRA says that a consumer has the right to be told if information in a con¬ 
sumer report results in an action against him or her (e.g., denial of an application 
for employment, credit, or insurance); to see the contents of a consumer reporting 
agency’s file concerning the consumer; to dispute and correct inaccurate or incom¬ 
plete information (which must be corrected if a mistake is verified); and to consent 
prior to a consumer report being provided to an employer. 

NAPBS advocates a highly ethical approach to conducting background investi¬ 
gations and by virtue of its relatively high dues and charges (e.g., for accreditation) 
is primarily focused on large agencies and their practices. 


Association of Internet Researchers 

The Association of Internet Researchers (AoIR) thinks of Internet research in terms 
of observing human behaviors online, for many purposes, most often sociological, 
psychological, or behavioral studies of human interactions online or of works of art. 
In this arena, a host of ethical questions arises as researchers interact with individu¬ 
als in “virtual worlds,” social networking sites, blogs, and Internet Relay Chat sites 
and encounter new types of content (e.g., videos, graphics, photographs) and the 
like. Questions of disclosure, informed consent, identifying and quoting without 
permission, and so on have been addressed in rich AoIR discussions from the varied 
perspectives of the social sciences, the humanities, ethical and legal scholars, and 
Internet users over the past few years. In confronting national and international 
laws, ethics, and definitions of privacy, autonomy, and netizens’ expectations, AoIR 
has captured and inspired spirited discussions of many related issues. The AoIR has 
developed standards titled Ethical Decision-Making and Internet Research (2002, 
and Version 2.0, 2012) to help researchers make ethical decisions in areas that 
are admittedly fluid and hard to define, particularly in an international context. 
Among the salient guidelines are the following: 

■ An “ethical pluralism” approach (recognition of different ethical frameworks). 

■ An Aristotle-like attempt “to discern what [doing] the right thing at the right 
time for the right reason and in the right way may be,” through a combina¬ 
tion of judgment and the rules that apply in an individual situation. 


Copyrighted material 



Professional Standards and the Internet ■ 133 


■ Questions to ask, including Internet venue (e.g., home pages, blogs, chat 
rooms, etc.), with the relevant ethical expectations (e.g., posted site policy) to 
judge the degree of privacy expected, and who are the subjects (e.g., adults or 
minors) of research. 

■ Considerations of timing, communications, and how materials will be used, 
to protect human subjects’ rights to privacy, confidentiality, autonomy, and 
informed consent. 

■ Relevant legal requirements and ethical guidelines not only in the country of the 
researcher but also in those of the subjects (recognizing the international nature 
of the Internet, e.g., the contrast between EU and US data protection standards). 

Additional considerations include the following: 

Assumptions (and the validity thereof) of participants/subjects of a study, such 
as the difference between people observed in private exchanges versus those 
who view themselves as authors. 

The ethically significant risks that the research might pose for a subject, such 
as intimate content, that could result, if disclosed, in harm to a subject. The 
principles of “above all, do no harm,” and assessing how the benefits to be 
gained from the research may in some way offset/balance the risks posed, are 
important benchmarks for ethical decision making. However, a utilitarian 
approach (as in the United States, where research gains may be viewed as 
outweighing risk to personal privacy) differs markedly from a deontological 
approach (as in Europe, where personal privacy almost always outweighs pos¬ 
sible research benefits). 

The AoIR guide provides other things: 

■ Ihe AoIR provides case studies that are highly useful in assessing ethical 
questions online. For example, they examine the question of whether chat 
rooms are public spaces and how notifications about a researcher’s presence 
may have an impact on those using the chat room. 

■ AoIR also provides a list of references and outlines of different leaders’ pro¬ 
cesses for ethical decision making and sample consent forms. 

■ Valuable concepts: AoIR’s thoughtful review provides concepts of eth¬ 
ics worth considering in any humanistic endeavor, including obligations of 
researchers to inform subjects, respect individuals’ private lives and families, 
and keep confidential the information subjects provide; the potential impact 
of research on a group using a website for its own purposes, that is, when 
the group must confront the unexpected intrusion of outsiders (possibly even 
insiders whose role as researchers is suddenly revealed) and the realization 
that users’ customs are not honored. This may come down to recognizing the 
“human rights” of an avatar or online community of avatars: the changing 


Copyrighted material 



134 ■ Cybervetting 


nature of Internet activities that themselves attract researchers but can be con¬ 
sidered in some senses the province of the users and out of bounds for others. 

■ Ihe concept of online research itself has become as nuanced as the Internets 
wide variety of activities. Virtual lives, MMORPGs, chat, blogs, and list 
serves (among others) present people in new dimensions. The researchers for 
science, sociology, and the humanities have considerably different motiva¬ 
tions from the researchers for intelligence, criminal investigations, back¬ 
ground vetting, and enterprise protection. 

As a confessed American (and utilitarian, in the terms of AoIR), I would sug¬ 
gest that where intelligence and investigations are concerned, materials posted for 
millions to see on the Internet are “fair game.” The naive view that publicly posted 
content is somehow protected from investigators defies common sense. However, 
the AoIR’s guide and similar thinking must inform the policies applied to unan¬ 
nounced presence in online venues by investigators and the uses to which collected 
content can be put, which should ideally be influenced by the basic human rights 
and mutual respect to which we are all entitled. In the end, bad behavior is unwor¬ 
thy of protection in public postings. 

Among the Version 2.0 (2012) ethical guidelines, the following are informative: 

■ Respecting international basic principles of ethical treatment of persons, 
including the fundamental rights of human dignity, autonomy, protection, 
safety, maximization of benefits and minimization of harms, or in the most 
recent accepted phrasing, respect for persons, justice, and beneficence 

■ Greater protection for those more vulnerable 

■ Inductive ethical decision making in a specific context, applying the 
Aristotelian principle of phronesis, that is, practical judgment in the situation 

■ Considering the rights of persons and the possibility that subjects’ rights may 
supersede the social benefits of the research 

■ Applying principles and input from all available sources at all steps in the 
research process, from planning to dissemination of published results 

Besides the AoIR standards, a book and journal articles by Heidi A. McKee and 
James E. Porter provide priceless views from the minds of Internet researchers and 
their subjects, ethicists, and those overseeing Internet research. 8 For example, the 
gamers generally feel that their avatars in virtual worlds deserve privacy. Researchers 
are advised to be intimately familiar with the online community they examine (i.e., 
they should spend many hours online) because nai’ve or clumsy intervention can 
wreck the cyber venue’s mode of existence. Even public forum participants have 
perceived expectations of privacy and are uncomfortable with outsiders capturing 
content about them. McKee and Porter amply illustrated the fact that, for many 
millions of people, the Internet is a different dimension of life, where participants’ 


Copyrighted material 



Professional Standards and the Internet ■ 135 


expectations and beliefs about their rights may differ from long-established under¬ 
standings of behavior in the physical world. Further, the authors’ findings help 
define sensitive situations for both researchers and their subjects, where added care 
is required because exposure could cause ridicule, embarrassment, or negative pub¬ 
licity pertaining to illegal activity, personal health, sexual activity, religious beliefs, 
sexual preferences, family background, traumatic or emotionally distressing life 
experiences (death, injury, abuse), bodily functions, or idiosyncratic behaviors, as 
well as information that the online community wants kept confidential. 

The stock that Internet behavioral researchers place in the feelings and beliefs of 
the subjects is not as appropriate for investigators and intelligence personnel because 
it is the feelings and beliefs themselves that are among the facts being collected. The 
more potentially problematic for the subject that the information may be, the more 
valuable it is likely to be in understanding the subject’s motivations and behaviors. 
However, the worry that any subject may have about exposure of his or her online 
activities to investigators should be mitigated by the protections afforded by such 
laws as FCRA and Title VII, which prohibit misuse and discrimination. 

Illegal activity is an appropriate target for investigators, and netizens who 
engage in it should not be able to shield themselves by their feelings that it should 
remain ignored. Because of the misprision of a felony law (requiring reporting of 
apparent crimes to a judge or civil authority such as law enforcement), it could be a 
problem for Internet researchers to conceal, and not report, felonious behavior they 
encounter. 9 Researchers focused on computer network protection face similar but 
different ethical issues in addressing the welfare of the Internet ecosystem. 10 In any 
case, the ethics of researchers and those of investigators have different purposes and 
foundations and properly should proceed their separate ways. There appears to be 
a fundamental dichotomy between academic considerations of ethical treatment 
of persons in a research context and law enforcement’s requirement and need to 
address illicit behavior that is conducted in public view. 

Proposed guidelines for Internet investigations appear in Chapters 11 to 13. 


Librarians 

The intelligence officer, sociologist, scholarly researcher, and student come together 
as customers of the librarian, whose services have changed dramatically with the 
growth of electronic books, publications, and materials and Internet availability of 
so much data. Indexing and search automation have revolutionized the finding of 
facts about people, businesses, government, topics, and any academic subject. 11 Not 
only do librarians provide essential assistance for all types of researchers, but also 
significant resources are available for free in libraries from subscription services and 
publications that would otherwise be costly for an Internet researcher. The approach 
of the librarian is to enable each patron while maintaining his or her confidentiality 


Copyrighted material 



136 ■ Cybervetting 


and privacy. Like the investigator, a librarian looks to the Internet as an additional 
tool to find all the available, authentic, reliable information on a topic. The Internet 
is viewed as a pathway to publications. Every intelligence collector, as an informed 
user, should understand that information placed online joins the world’s largest vir¬ 
tual library, made available to the largest collection of readers on the planet. 


Inside and Outside the Workplace 

Government and business attorneys considering Internet vetting often focus on 
some courts’ concern that background checking should be relevant to the specific 
position being applied for. In doing so, they often limit the universe of concerns to 
the workplace tasks and systems to which a newly hired person will be assigned, 
dhis is a fundamental mistake in today’s society because people use their personal 
computers for work, for work-related communications, to talk with both insid¬ 
ers and outsiders about work, to look for new work, and to network with many 
other people in and out of work. In addition, people commit violations of law, 
ethics, rules, employment standards, and good behavior while on the Internet from 
home, on their personal devices, and on their employers’ systems. In many cases, 
misbehavior is associated with an employer or with a person whose employment 
is publicly known. For example, many individuals use their work Internet service 
for Internet connections from home or elsewhere outside work and use their work 
e-mail address lor all kinds of personal communications, whether from work or 
home. 12 In some cases, employees use their personal computers to leak or disclose 
information that is detrimental to their employer, such as complaining about their 
employer online. Other examples abound. Even those whose workplace systems 
have stringent controls are not sufficiently scrutinized if the employer ignores what 
the employee may be doing using a home computer. In the course of 15 years of 
private-sector investigations, I found many users in online activities tied to their 
employer, without an authorized purpose. A favorite example is the fact that nearly 
1,000 members of one of the armed services used their e-mail addresses issued by 
the Department of Defense as their identifier in establishing their MySpace pro¬ 
files, posting voluminous facts about their service for anyone to see. Did they not 
think that adversaries in every nation on earth could surf the net? Their service likes 
to use social networking sites to publicize and recruit, but issues users instructions 
not to reveal military activities improperly. 

Monitoring proprietary systems is no longer enough for an employer to con¬ 
duct due diligence in the pursuit of protecting intellectual property or verify¬ 
ing that employees have not engaged in dangerous breaches of security. While it 
may not seem rational, many employees mix their roles in and out of work into 
their Internet activities. By doing so, they involve their employer by necessity in 


Copyrighted material 



Professional Standards and the Internet ■ 137 


their off-hours online world. Whether in e-mails, social network postings, instant 
messaging, tweets, or other online communications, at least 30% of todays work¬ 
ers have a prolific presence online. 13 Millennial employers ignore such millennial 
employees at their peril. 


Reputational Risk, Public Affairs 

As both business and government have recognized, the instant news and infor¬ 
mation dissemination taking place online pose an interesting dilemma for today’s 
enterprise. On the one hand, it is possible to get a message across immediately, 
cheaply, and to a targeted audience. On the other hand, because reports spread 
virally and are not fact-checked, it is possible for misinformation and damaging 
information to receive broad exposure. Retraction, correction, and remediation of 
false reports can take much longer, and be much more difficult, than the originals. 
Reputational risk has risen for all enterprises, especially because of the online dis¬ 
semination of all types of information about a business, agency, or organization. 14 
Blogs, message boards, social media, and other posting venues are more than a 
minor matter or distraction to nearly every major corporation. Not only must the 
public affairs and stockholder services offices work diligently to discover and refute 
false reports, but also it is normal for large enterprises to have a handful of true but 
damaging reports online at any one time. Irresponsible employees often post items 
using “anonymous” identities, usually including a free e-mail account from a major 
provider such as Yahoo, Google, Microsoft, or AOL. Although it is sometimes pos¬ 
sible to trace these anonymous posters, it is nearly impossible to undo the damage. 

Reputational risk is a major challenge to every enterprise because everything 
from stock value to regulators’ views of the company rides on what is said about it. 
Insider revelations can be major violations of Securities and Exchange Commission 
(SEC) regulations and other rules. When an individual becomes disgruntled in the 
information age, it is possible for the Internet to magnify the damage done by only 
a few choice postings, true or not. While the human resources department may still 
struggle with proper uses of the Internet in vetting, the other departments, includ¬ 
ing legal, marketing, public relations, security, and investor support, are busy daily 
with scanning the web for posts about the company. Trade media, now all online, 
are only one of the types of Internet publications of which they must remain aware. 
When an employee, contractor, supplier, or partner posts damaging materials about 
an enterprise, it is in the enterprise’s best interests immediately to discover and 
take appropriate action on the event. In considering any prospective candidate, 
the enterprise should consider if the applicant has a history of posting damaging 
material. This is but one of many examples of illicit behaviors that can be trivial or 
immensely important in the life of a corporation or government agency. 


Copyrighted material 



138 ■ Cybervetting 


Bottom Line 

It is more important to have defensible standards about Internet searching for infor¬ 
mation collection and intelligence purposes than to count on the specific stan¬ 
dards themselves, especially because the legal underpinnings are fluid. The lack 
of definitive legal rules has resulted in perhaps less Internet vetting than should 
be done. Uncertainty can be the enemy of sound ethical approaches. Anecdotal 
evidence suggests that individuals in many companies and government agencies 
are using the Internet in vetting candidates; looking up fellow employees, superiors, 
and business associates; and otherwise using web information as a key part of their 
decision making. Among the issues raised by this behavior is the potential liability 
of an enterprise without any rules or policies, the possible use of Internet search 
results in illicit or inappropriate ways, and the mistaken use of incomplete, inac¬ 
curate, unreliable, and false data. 

The proposed standards in Section III include many of the elements that are 
informed by the extant legal and ethical approaches provided for guidance to disci¬ 
plines both inside and outside intelligence and investigations. 


Notes 

1. ASIS International, Preemployment Background Screening Guideline , 2009, http://www. 
asisonline.org/guidelines/guidelinespreemploy.pdf (accessed August 10, 2010). 

2. Haefner, Rosemary, More Employees Screening Candidates via Social Networking 
Sites, http://www.careerbuilder.com/Article/CB-1337-Getting-Hired-More-Employers- 
Screening-Candidates-via-Social-Networking-Sites/?ArticleID= 1337&cbRecursionCnt= 
l&xbsid=ed3b3595c5334cb0b74dab54657de7a4-334768959-RS-4&:ns_siteid=ns_ 
us_g_careerbuilder_survey (accessed August 10, 2010). 

3. HireRight, The Evolving Practice of Social Media Background Screening, http:// 
www.hireright.com/blog/2013/05/the-evolving-practice-of-social-media-background- 
screening/ (accessed March 30, 2014). 

4. Lorenz, Mary, Two in Five Employers Use Social Media to Screen Candidates, 
July 1, 2013, Survey Results, Talent Factor, http://thehiringsite.careerbuilder. 
com/2013/07/01 /two-in-five-employers-use-social-media-to-screen-candidates/ 
(accessed April 23, 2014). 

5. NAPBS, http://www.napbs.com/media/Factsheet.pdf, http://www.napbs.com/ 
benefits/code_of_conduct.cfm, and http://www.napbs.com/benefits/BSAA_Code_of_ 
Conduct.pdf effective as of 2009 (accessed March 30, 2014). 

6. Fair Credit Reporting Act, http://www.ftc.gov/sites/default/files/fcra.pdf (accessed 
March 30, 2014). 

7. AoIR Ethics Working Committee, Ethical Decision-Making and Internet Research: 
Recommendations from the AoIR Ethics Working Committee , approved November 27, 
2002, by the Association of Internet Researchers (AoIR), an international association 


Copyrighted material 



Professional Standards and the Internet ■ 139 


of students and scholars in the field of Internet studies, http://aoir.org/; available online 
at www.aoir.org/reports/ethics.pdf and Version 2.0, a 2012 report, available at http:// 
aoir.org/reports/ethics2.pdf (both accessed March 30, 2014). 

8. McKee, Heidi A., and Porter, James E., Playing a Good Game: Ethical Issues in 
Researching MMOGs and Virtual Worlds, International Journal of Internet Research 
Ethics , 2, 2009, http://www.ijire.nct/issue_2.l/mckee.pdf (accessed September 21, 
2010); McKee, Heidi, and Porter, James E., Hie Ethics of Digital Writing Research: 
A Rhetorical Approach, CCC, 59.4, 2008; McKee, Heidi A., and Porter, James E., 
The Ethics of Internet Research, a Rhetorical Case-Based Process (New York: Peter Lang, 
2009). 

9. Title 18, US Code, Part I, Chapter 1, Section 4, Misprision of a Felony, http://www. 

law.corn ell.ed u/uscode/uscode 1 8/usc_sec_l 8_00000004-000-.html (accessed 

August 10, 2010) and similar state statutes. 

10. Kenneally, Erin, Bailey, Michael, and Maughan, Douglas, A Framework for 
Understanding and Applying Ethical Principles in Network and Security Research , US 
Department of Homeland Security Working Group on Ethics, 2010, http://www. 
caida.org/publications/papers/2010/framewo rk_ethical_research/framework_ethical_ 
research.pdf (accessed August 10, 2010). 

1 1. Cassell, Kay Ann, and Hiremath, Uma, Reference and Information Services in the 21st 
Century, An Introduction , 2nd edition (New York: Neal-Schuman, 2009), which con¬ 
tains excellent pointers for Internet researchers and librarians. 

12. Based on my over 15 years of collection and analysis of Internet data. 

13. The 30% estimate for those with a prolific presence online is derived from statistics 
published by the Pew Internet and American Life Project, http://www.pewinternet. 

°rg /• 

14. Deloitte Insights, Wall Street Journal, http://deloitte.wsj.com/riskandcompliance/ 
2013/04/25/three-steps-toward-managing-reputational-risk/ (accessed March 30, 2014). 


Copyrighted material 



Copyrighted material 



Chapter 11 

The Insider Threat 


Introduction 

A primary reason for considering Internet vetting is the fundamental changes that 
have occurred in people s behaviors since the 1970s in the workplace and since the 
early 1990s on networked computers and computing devices. The insider threat 
deserves in-depth analysis because it has such a large impact on all types of orga¬ 
nizations, but that is left for another day. Studies of industrial crimes, shrinkage, 
losses ascribed to embezzlement, and espionage have shown increases in the inci¬ 
dence and seriousness of insider crime for the past 20 to 30 years. However, precise 
metrics are lacking, and the relevance of available survey statistics in a field with 
so little tangible, public evidence is limited. Are we seeing better reporting, better 
detection, or a higher incidence of insider crime? We certainly are seeing a higher 
level of attention paid to the insider threat in government and industry, whether it 
is leaks, treason, workplace violence, or intellectual property loss that is the focus of 
concern. Even user errors cause serious losses. 

The insider threat is not well understood outside the confines of the individ¬ 
ual enterprise because statistical record keeping and reporting are inconsistent at 
best. Like economic espionage, the problem has been addressed over time much 
more rarely by law enforcement than by internal investigations and administrative 
resolutions. Most of the time, in my experience, the perpetrator is laid off, fired, 
or otherwise moved out. I am aware of some instances when felony crimes were 
addressed internally, and the employee retained, because of the wishes of high- 
ranking executives. In any case, insider threat mitigation varies greatly. 

As mentioned in previous chapters, an insider with access to information sys¬ 
tems, networks, and data is in a position to do great damage to the enterprise with 
substantially less prospect of detection than in the physical world. After all, the 

141 


Copyrighted material 


144 ■ Cybervetting 


nature of allowable postings about the business, so they look at online content as 
well. One or a series of postings from an insider can spell legal issues and regulatory 
investigations and possibly result in loss of market share or stock value. Specialists 
previously interested in TV time, direct-mail advertising, and Securities and 
Exchange Commission (SEC) filings now must also focus on Internet image and 
the posted comments of perhaps thousands of employees, customers, stockholders, 
and kibitzers. As market reputation has grown in importance, so has the potential 
for an insider or outsider to have an impact on that reputation. 

Every employer also must face the question of how employees view the infor¬ 
mation systems security controls and enforcement and the potential chilling effects 
(as well as impediments to efficiency) that security measures can cause. In an era of 
wild financial swings, layoffs, and restructuring, the written and unwritten com¬ 
pacts between employers and workers are at greater risk today than ever before. 
Employers exert efforts to treat employees and contractors humanely and struc¬ 
ture compensation and benefits, workplace ambience, and atmosphere to make the 
strongest possible positive impression on insiders. "Ihe natural balance and conflict 
between personnel and security departments figure into the workplace ethos, and 
both are vital to making the automated enterprise successful in making informa¬ 
tion technology (IT) a strategic differentiator for success. 

Among workers who are most familiar with the information systems they use, 
such as IT personnel, electronics engineers, programmers, and designers, there is a 
high recognition of the necessity for good behavior online and the need to monitor 
and enforce IT discipline. One good reason is the general realization among more 
sophisticated users that infiltration often occurs when user credentials are acquired 
by outsiders bent on penetration. Social engineering is a key “cracker” method 
for intrusions, but password-cracking programs, stolen laptops, inadvertent dis¬ 
closures, phishing, and shared log-on credentials are also frequent causes. There is 
a double-edged sword for employers who are successful in online security training 
and awareness for insiders: They are better prepared to help protect enterprise sys¬ 
tems, but they are also more likely to understand the value of the data to which they 
have access and the potential reward of theft. At the end of the day, the more savvy 
the user, the greater potential threat posed. Because history tells us that the actual 
number of malicious users is only a small percentage of the overall population, the 
risk does not appear unacceptably high. However, the insider is one case for which 
the potential impact of a security incident is so high that additional preventive 
methods are needed. 

So, the benevolent dictatorship of the enterprise must confront the inevitable 
balance between big brother and big buddy. A great advantage of knowing each 
insider through close association with supervisors, mentors, and teammates is that 
the temptation for abuse and crime is greatly reduced, and the probability of early 
intervention or detection is greatly enhanced. When information assurance, tech¬ 
nical, and human methods are combined, the insider threat is reduced to an accept¬ 
able minimum. 


Copyrighted material 



The Insider Threat ■ 145 


Notes 

1. Herbig, Katherine L., and Wiskoff, Martin F., Espionage against the United States by 
American Citizens 1947—2001, Technical Report 02—5, Defense Personnel Security 
Research Center (PERSEREC), July 2002, http://www.fas.org/sgp/library/spies.pdf 
(accessed March 30, 2014); Mitre Report (numerous authors), Analysis and Detection 
of Malicious Insiders, submitted to 2005 International Conference on Intelligence 
Analysis , McLean, VA; Shaw, Eric, Ruby, Keven G., and Post, Jerrold M., The Insider 
Threat to Information Systems, the Psychology of the Dangerous Insider, Security 
Awareness Bulletin , 2—98, June 1998; Randazzo, Cappelli, et al., Insider Threat Study: 
Illicit Cyber Activity in the Banking and Finance Sector, National Threat Assessment 
Center, US Secret Service and CERT Coordination Center, Carnegie Mellon 
University Software Engineering Institute, August 2004; Sulick, Michael J., American 
Spies: Espionage against the United States from the Cold War to the Present (Washington, 
DC: Georgetown University Press, October 2013), http://press.georgetown.edu/book/ 
georgetown/american-spies (accessed March 30, 2014). 

2. Symantec and 1DC, Worldwide Mobile Worker Population 2007-2011 Forecast, 
Symantec White Paper, March 2008; King, Rachael, Departing Employees Are 
Security Horror: Many Think Nothing of Taking Confidential Company Information 
With Them When They Leave, Wall Street Journal, October 21, 2013. 

3. InfoLink Screening Services (Kroll), Applicant Hit Ratio Analysis, 2005 (no longer 
available online). iNameCheck studies, see Chapter 4. Title 18, Section 1001, US 
Code, makes it a crime to deliberately falsify or conceal information, including appli¬ 
cations for employment, provided to the US Government, with a term of up to 5 years 
confinement and fine of up to $10,000 or both. Whether deliberate or accidental, 
failure to reveal online identities on applications might have the same effect. 

4. Based on numerous examples that came to the attention of my firm iNameCheck dur¬ 
ing the past 8 years. 

5. General Accounting Office, Employee Privacy, Computer-Use Monitoring Practices 
of Selected Companies, report to the ranking minority member, Subcommittee on 
21st Century Competitiveness, Committee on Education and the Workforce, House 
of Representatives, September 2002, http://www.gao.gov/new.items/d02717.pdf 
(accessed August 21, 2010); Needleman, Sarah E., Monitoring the Monitors: Small 
Firms Increasingly Are Keeping Tabs on Their Workers, Keystroke by Keystroke, Wall 
Street Journal online, August 16, 2010, http://online.wsj.com/article/NA_WSJ_PUB: 
SB 10001424052748703748904575411983790272268.html (accessed August 21, 
2010). 


Copyrighted material 



Copyrighted material 



Chapter 12 

Internet Vetting and Open- 
Source Intelligence Policy 


Introduction 

If you are doing research, investigations, or intelligence collection on the Internet, 
there is not much to worry about in terms of legal restrictions. By its nature, the 
Internet is a network of networks, designed to facilitate the sharing of information. 
Certain criminal laws prohibit computer fraud and abuse, including unauthorized 
access to or use of information that is accessible through the Internet but protected, 
interception of electronic communications in transit, and misuse of computer sys¬ 
tems and data in ways specified in various federal and state laws. Because of the 
designs of computers, networks, and databases, it is simply not possible beyond a 
point to secure them. Those who believe that any information that can be accessed 
is theirs to use as they see fit are sadly mistaken (but this feeling has a rather large 
following). Abuse is not tolerable—illegal or illicit behaviors are wrong. When we 
went online, we moved to a virtual neighborhood where most residents only use 
unlocked screen doors. That does not mean that burglary is no longer illegal. 

Before an enterprise embarks on a process to exploit the Internet for open- 
source information, it is a good idea—in fact, a necessity, according to the best 
attorneys I know—to have a policy for how to do so . 1 Like other intelligence col¬ 
lection methods, including human intelligence, surveillance, signals intelligence, 
and so on, open-source intelligence requires a set of standards that both enable 
success and avoid the pitfalls inherent in the practice. For a business, government 
agency, nonprofit, or other organization, it is important to recognize that Internet 
research, which has become indispensable for society, is at a relatively early stage of 


149 


Copyrighted material 


Internet Vetting and Open-Source Intelligence Policy ■ 151 


security varies for those allowed access, but internal systems are not intended 
for public access. 

3. Entertainment and social networking sites are optimized for public use and 
often allow for use by groups that are more private. These websites create 
networks of individuals so content can be shared, sometimes with access 
restrictions; connections can be made; and a variety of materials, such as 
blogs, photos, audio and video files, and other content, can be posted for 
sharing. Some content may be copyrighted, but much is intended for wide 
dissemination, and some items are intended for a restricted audience of reg¬ 
istered users, friends, and colleagues. Merely requiring membership to see 
content may not make data posted on these sites private because millions of 
users have access to postings without privacy protection, and an authorized 
recipient may reshare content with their own group. 

4. Businesses such as Internet retailers, financial firms, service providers, and 
so on have websites with functions designed to attract and inform customers 
(completely open to the public); provide data to registered users (restricted use, 
but relatively open, nontransactional information content); present account 
information exclusively to account holders (private access); and conduct 
transactions for registered and authenticated users (closed, limited-access sys¬ 
tems designed to prevent fraud and to facilitate online payments). The degree 
of security afforded to these three or four levels of access (envisioned by the 
Federal Reserve years ago, in its guidance to the nations online banks) is 
greatest at the transactional level. Unfortunately, it is that level of informa¬ 
tion that black-hat hackers seek to access and exploit. 

The first level of control for those setting Internet search standards is to ensure 
that practitioners understand the difference between public websites and those 
where restrictions on authorized use of content may have an impact on the deci¬ 
sion to collect and utilize posted information. By the time the data collected are 
reported, it may not be clear to a report reader where the items originated and what 
limitations, if any, need to be considered for their use. Therefore, the actions (if 
any) taken on an Internet intelligence report can violate a law, policy, or standard 
if the method of the search or its product is illicit or improper. One way to address 
thi s concern is to require explicit sourcing for each item reported from the Internet, 
with a notation if the item was retrieved in a manner not authorized by the website 
hosting the data or not published on the public Internet. Clients of investigative 
and intelligence reports (e.g., human resources, legal and security departments, 
policy makers) should establish clear expectations for collectors and analysts so that 
the enterprise does not inadvertently use reported data in an inappropriate manner, 
inconsistent with its policy. 

The anonymity of users on the Internet can benefit an intelligence officer who 
might access many websites to find instances of illegal or threatening behavior 


Copyrighted material 



152 ■ Cybervetting 


without revealing his or her role in intelligence. However, the possible uses of the 
information obtained might be limited by the manner of collection. It is useful to 
think of stored (not in-transit) information collected by investigators, intelligence, 
and security personnel in categories: 

■ Published data intended for use by everyone 

■ Published data intended for a limited group of people 

■ Data stored in a limited-access place for authorized users only 

■ Data stored in a secure place for access by specified users for restricted pur¬ 
poses only 

Because of the nature of the Internet, openness of users' postings, and avail¬ 
ability of effective search and collection methods, a good investigator will soon 
find that it is possible to gain access to information that the investigator was never 
intended to see. Contents of the information may well show the type of behavior 
or document facts that are most useful for judging the trustworthiness, character, 
or proclivities of the subject and hence be most useful in assessing the subject. But, 
because of the method of collection, an item retrieved in this manner may not be 
admissible as a piece of evidence, usable as a derogatory element in a report, or 
usable as a question for interviewing the subject directly. The suitability of an item 
for use in due diligence investigations (e.g., cybervetting) therefore may depend on 
its method of collection and whether the source can be cited openly. This is not to 
say that the item cannot be used at all in the evaluation or due diligence process. 
When a piece of information is found that cannot be used openly in an adverse 
action, it may still be useful in formulating interview questions; as a lead for fur¬ 
ther investigation (e.g., interviews of friends, co-workers, or acquaintances of the 
subject); and as a pointer to other potential sources online or offline, where public 
variations may be found (e.g., by using the handle or user name found in the private 
posting to find similar public postings). In addition, it is worth noting that having 
intelligence about a subject of importance, even if that intelligence cannot be used 
in a proceeding or report, can be helpful in protecting the security of an enter¬ 
prises people, assets, and information. For example, the orientation and training 
(including indoctrination) of an employee with a history of Internet misbehavior 
can include material addressing the high standards that apply for workplace com¬ 
puting. Monitoring and mentoring are other possibilities. 

Because investigative personnel often operate alone and rarely receive supervi¬ 
sory scrutiny over each step they take, investigators must adhere to the proper ethical 
standards on their own. At this writing, there are almost no guidelines for Internet 
searching. Therefore, there is virtually no scrutiny being given to the questions of 
whether the Internet is used, how cybervetting may be carried out, and the use of 
results in follow-up investigation. When ethical standards are established for the use 
of the Internet in investigations, there is a high likelihood that most investigators will 
follow those standards most of the time. Today, it is up to the individual investigator. 


Copyrighted material 



154 ■ Cybervetting 


difficult because their volume, archiving, searching, and applicability to almost 
any issue are likely to be burdensome on the enterprise and likely to produce evi¬ 
dence against the interests of the enterprise. Several general counsels of major busi¬ 
nesses with which I have consulted, and some government agencies, in the past 
have advocated systematic destruction of e-mails to avoid the “false positives” that 
are caused when employees include inaccurate, untrue, scurrilous, and defamatory 
information in their e-mails. Because e-mails occupy that netherworld between the 
formal business letter and the informal personal note, it is generally up to the user 
to keep the content true, proper, and civil. However, so much e-mail contains con¬ 
tent inconsistent with enterprise policy that it has become a legal issue for almost 
every organization. Civil litigation nearly always includes a motion for disclosure 
from enterprise documents and data (e-discovery), including e-mail, imposing 
procedural and technical issues with ever-growing volumes of documents stored 
electronically. Recent laws help regulate electronic disclosures in civil cases (e.g., 
changes to Rule 16, US Federal Rules of Civil Procedure, addressing the timing, 
scope, and cost of motions for e-discovery), but the law does not do much to miti¬ 
gate the need to preserve data. 

Unfortunately, data on the public Internet may well point to information within 
corporate walls, and the likelihood that Web references will help investigators to 
make successful electronic disclosure demands has grown with the volume of data 
escaping the enterprise and residing on the Internet. In addition, the indiscretion 
shown in Internet postings could make adversaries even more eager to access corpo¬ 
rate data because it is likely to contain some items bolstering legal claims. 

In a world of secrets, classified information, and vital intellectual property, 
the virtue of discretion has suffered a nearly fatal blow. The Internet has become the 
antisecret. Self-exposure has increased with the changing social norms propelled 
by the web. Those trained in the protection of classified information (and perhaps 
coming from an earlier generation) have a natural tendency to be more discreet, 
say less, and disclose less. Among other things, discretion involves choosing not to 
tell others something just because one knows it and being careful not to embarrass 
oneself by exposing something potentially harmful to oneself or one’s family, com¬ 
munity, or one’s employer. The Internet generation appears to be less discreet and 
more apt to disclose data that should be protected. As indicated previously, even 
one or a few indiscreet individuals can jeopardize the security and interests of an 
enterprise. Therefore, a key requirement for protecting classified data and intellec¬ 
tual property is the collective and individual discretion of those with access to it, 
and the ability ol the enterprise to detect instances of disclosure and exert discipline 
to discourage it. 

The rise in attention to social networking as a means of marketing, stockholder 
relations, and information collection has also given rise to some enterprise poli¬ 
cies worth noting, such as the model Social Media Policy posted by the Society 
for Human Resource Management (SHRM) and ruled lawful in May 2012 by 
the National Labor Relations Board. 6 Key elements of SHRM’s model guidelines 


Copyrighted material 



Internet Vetting and Open-Source Intelligence Policy ■ 155 


include legal and behavioral guidance for employees on posting that complies with 
the NLRB’s enforcement of employee-employer labor relations. 

These observations about enterprise policy on cybervetting and Internet collec¬ 
tion are meant as a starting point. All businesses, agencies, and organizations should 
have relevant policies designed to suit their needs. Because work-related postings 
and other online disclosures relating to the enterprise may include proprietary data, 
enterprise policy should include guidance on the information assets themselves. 


Information Assets Protection 

The following chapters specifically outline procedures to be used for Internet search¬ 
ing for intelligence, but it is important to have an ethical strategy based on core 
tenets. Among core tenets for a business or government enterprise are the following: 

■ Enterprise information is a key asset to be protected. 

■ Ihe enterprise will take all reasonable, legal measures to protect its systems, 
networks, and data to protect its information assets. 

■ All authorized users will be required to adhere to enterprise information tech¬ 
nology (IT) policies and should expect that their systems use will be scruti¬ 
nized for compliance, data protection, and effectiveness as needed at any time 
(as expressed in authorized use policies). 

■ Authorized users of any systems, business or personal, can create Internet 
records that could have an adverse impact on the enterprise because outsid¬ 
ers, unauthorized users, and adversaries of the enterprise may see Internet 
postings. Therefore, users should be careful what they post on the Internet. 
The enterprise may take measures to detect Internet postings that could be 
of concern and will discipline any authorized user found posting material 
deemed to be harmful to the enterprise. 

■ The enterprise respects the individual privacy of its authorized IT systems 
users and will take steps to ensure the protection of their personally identify¬ 
ing information. While enterprise IT systems are proprietary and exist for 
business use only, it is understood that users’ data will at times share enter¬ 
prise IT resources. The enterprise reserves the right to review all information 
residing on its systems at any time, for any purpose, and will take appropriate 
action if any information found is deemed to be improper or illicit or poses a 
potential risk for the enterprise. 

■ The enterprise expects all authorized users to be of assistance in protecting 
systems, networks, and data, and failure to help protect the enterprise will be 
subject to discipline. 

Full disclosure of these principles will help users to understand the value of 
IT systems and the need and intent that their employer has to protect itself in the 


Copyrighted material 



Chapter 13 


Tools, Techniques, 
and Training 


Introduction 

If your enterprise or unit needs a process for Internet searching, analysis, and 
reporting, it is important to ensure that those tasked with carrying out the process 
have adequate training and preparation to do so. Yes, everybody googles. That does 
not mean that everybody knows what they are doing or can properly assess the 
results. If investigative and intelligence conclusions are to be reached, strategies 
evaluated, and decisions made based on Internet data, there are basic attributes that 
are required for the execution of searches, which could be characterized as “user 
requirements,” like those specified for software systems requirements. 1 The search 
and analysis processes should deliver results that are, to the greatest extent possible, 

■ Reasonably complete and comprehensive 

■ Accurate, with identifiable references properly attributed to the subject 

■ Useful for the purpose for which the search was conducted 

■ From sources believed to be reliable 

■ Verified or verifiable through multiple sources and analysis 

■ Current and properly dated 

■ Efficient, that is, accomplished within allocated budget 

■ Timely, that is, accomplished within established deadlines 

■ Designed and conducted in a manner that does no harm to searchers or subjects 


157 


Copyrighted material 


158 ■ Cybervetting 


When my private intelligence practice began, we found that for search terms 
(people, firms, topics) with many references, it is possible to engage in endless col¬ 
lection and review of links, with the hope that the next click will bring you to the 
holy grail of the search. After a point, it is like the slots player at the airport in Las 
Vegas: How often will you win, and how many more times must you drop in a 
coin and wish? The house has the game stacked against you, and more play simply 
means more loss—just get on the departing plane. Therefore, it is important to 
establish at the beginning how much searching, review, and capture of results is 
enough for a given purpose or at what point the prospect of winning any more 
diminishes to near zero. 

When important decisions are to be made based on results, it becomes all the 
more important that the completeness of the search is sufficient that no major refer¬ 
ence is overlooked; the search engines and sites most likely to be productive have 
all been queried; and the additional leads found in initial search results have been 
incorporated into follow-up searches. For fairness in using cybervetting, a similar 
process must be applied for all candidates (or all candidates in certain categories, 
such as those seeking high-level clearances), so that there will be no discrimination 
in who is searched or the reach of the search. Because most of the references will be 
positive or neutral, the goal of the search is not to find what is derogatory (because 
that may not exist), but rather to meet the requirements set for a “full search.” The 
full search is to be defined by policy, which should describe the scope of the search 
as its most important attribute. When I searched Federal Bureau of Investigation 
(FBI) indices for references to a person of interest, in 28 years, I always found 
more than one person with the same name. On the Internet, the prospect that 
you will find only one of a kind, whether it is a person, business, or another search 
term, is low. Some people’s names are also common words (e.g., Baker, Price), so 
many references found will have nothing to do with the subject. Accuracy is essen¬ 
tial because there are not always secondary identifying factors to use in evaluating 
whether to attribute a reference to the subject of interest, such as with federal court 
indices, where names alone are used for parties to criminal, civil, and bankruptcy 
cases. It is possible to report items that may or may not be identifiable with the 
subject, but doing so may detract from the value of the report and raise questions 
that need resolution. Factors that can help determine whether a reference is identifi¬ 
able with a subject (besides having the same name) include geographical location; 
identifying numbers (e.g., Social Security number); physical description; age/date 
of birth; education; employment; city or community; activities; hobbies; sports; 
photos; advocacy (i.e., espousing the same position on topics); family; friends; and 
associations. The name of the subject can also be important because name varia¬ 
tions, nicknames, misspellings, and the like are common, dhe decision to report a 
questionable reference should depend on the relevance, and potential seriousness of 
the behavior or content, if it proves true and attributable to the subject. 

In vetting people and firms, it is often possible to find many references attrib¬ 
utable to the subject with a relatively high degree of accuracy. However, often the 


Copyrighted material 



Tools , Techniques, and Training ■ 159 


purpose of the search is to determine whether there are any derogatory references 
(e.g., arrests, civil suits, bankruptcies), and mountains of data that merely confirm 
what the requester already knows (e.g., address, employment, education) provide 
no added value. Required report contents should therefore be determined based on 
the purpose of the search before the search begins. A report can contain a complete 
profile of the subject, including all known, verified attributes; only specified bio¬ 
graphical items; or only derogatory or previously unknown data. How many prior 
addresses are needed in the report? Establishing the manner in which results will be 
reported makes the report ideally suited to the purpose for which it was requested 
and perhaps a much shorter task to accomplish (e.g., report only bad behaviors). 

Reliable sources exist on the Internet, but not all sources are equally reliable. 
Some sources (e.g., media reports) are generally reliable, but we all know of examples 
when the news media got the story wrong, and there is a reason that nearly every 
newspaper runs a corrections column. The analyst must assess the nature of the 
source: Is this a publisher whose purpose is to convey information (e.g., an obituary, 
list of graduates), to present well-documented events (e.g., a court case), or to argue 
for a viewpoint (e.g., a blog advocating a side on an issue)? An address directory is 
likely to be correct in most instances, but a social site posting may be a cruel joke. 
An Internet intelligence analyst must apply classical library or journalist standards 
to the evaluation of the reliability of the sources used and the confidence placed in 
the particular items reported. If appropriate, it will be necessary to find other sources 
to help verify the item or at least shed light on the authoritativeness of the source. 

Verifying information found on the Internet can be tricky. For example, find¬ 
ing a biographical profile of a subject can be helpful, but the first questions are 
these: Who posted it? Was it fact-checked? Is there independent confirmation of 
its contents? Many Internet searchers accept the contents of a Linkedln profile as 
factual, but forget that the subject himself or herself likely posted it. Likewise, other 
business, social networking, and job placement sites contain autobiographical cur¬ 
ricula vitae (CV). Because a considerable percentage of resumes, job applications, 
and self-descriptions contain exaggeration and outright untruths, it helps to com¬ 
pare fact-checked biographies with those of the subject. Even then, profiles should 
not be presumed accurate because a business will ask its executive to provide the 
biography posted, and there are few sources online that post CVs that are authored 
by someone independent of the subject. This illustrates the difficulty of verifying 
what you find online. Among many examples of “facts” I found online in the past 
8 years are the following: 

■ An erroneous police department posting of a “most wanted” person who had 
already been arrested, tried, convicted, and served time for the offense 

■ A government database of those sanctioned for misbehavior, accessible on the 
Internet, that contained no reference to a severe punishment issued to a per¬ 
son who was found listed in the same government agency’s online newsletter 
as having been punished 


Copyrighted material 



Tools , Techniques , and Training ■ 163 


have found that when two or more analysts focus on the same topics, the results are 
often better than when only one person does the task, and a reviewer (supervisor, 
editor, publisher) can strengthen the results that an individual analyst obtains. 
Everyone has access to the library, but it takes a librarian-analyst with practice and 
training to obtain the best results from the great global library of the Internet. 


Open-Source Intelligence Process 

For those contemplating becoming a professional in open-source intelligence, com¬ 
plete training is recommended. Because organizations are apt to task employees 
with Internet searching as one of their “other duties as assigned,” what follows is a 
brief summary of how a relative Internet novice can work to high intelligence stan¬ 
dards when carrying out Internet intelligence duties. As with all work activities, 
great improvement comes from better training and more experience. 

The purpose of intelligence and investigation is to find facts that allow decision 
makers to reach conclusions. To do so, open-mindedness, objectivity, a broad scope 
of general knowledge, curiosity, and determination are helpful to the researcher. 
Whether the subject is a person, company, organization, or topic, all of the subject s 
attributes are potentially important and so should be found and considered by the 
collector and analyst in formulating which attributes are relevant for decisions and 
appropriate for inclusion in the report. However, the focus of the inquiry may be 
defined more narrowly by the client. 

The client s requirements and the collector s standards control the scope, value, 
timing, and format of reports. Often, misbehavior plays a powerful role in deci¬ 
sions, and thus finding evidence of delinquency is an object of inquiry. Verification 
of the truthfulness, trustworthiness, qualifications, and eligibility of individu¬ 
als, organizations, and groups is also a frequent goal. Some think that the goal 
of vetting is to find instances of misbehavior, but in reality, the purpose is to find 
evidence about the subject to enable and support a decision about eligibility, quali¬ 
fications, and fitness. Sometimes, investigators cut their process short when they 
find significant indicators of unworthiness, but it is just as important to find miti¬ 
gating circumstances and verify the occurrence, seriousness, frequency, and impact 
of alleged wrongdoing within the time available and guidelines for collection. All 
inquiries seek certainty, but all collectors must exercise a certain degree of healthy 
skepticism, even if convincing evidence has been found. In the end, the people 
entrusted to investigate must seek the truth; thus, the process should always include 
verification if it is available. Clients should be counseled to seek further verification 
of derogatory information and interview the subject, if appropriate, to ensure that 
any adverse decision contemplated is based on all the facts. Sound practice may 
require that the subject be confronted with any allegations so he or she is given 
the opportunity to refute them. It is then up to the client to make final judgments 
based on the findings. 


Copyrighted material 



164 ■ Cybervetting 


Ihe intelligence collection process begins when the collector chooses sources 
and methods designed to find the facts needed to meet the goals of the case, within 
the resources and time available, to the client s specifications. Sourcing is critical to 
success. Where the Internet is concerned, the analyst must begin with the assump¬ 
tion that the Internet may have changed, even in the recent past, and it may be 
necessary to add, delete, or otherwise change the mix of online sources to be used. 
Continual monitoring of activities using Internet sources is increasingly important 
to decision makers in such areas as investments, risk management, brand protec¬ 
tion, employee vetting, operational security, and competitive intelligence. It may be 
worth the extra time to conduct a search for (new) sources prior to researching the 
topic at hand. Specific Internet sources are listed in later chapters. 

Responsible open-source intelligence depends on application of the well- 
established principles of all research, with added emphasis on assessment. When 
an authoritative or unique source provides ostensibly factual information, and 
especially when online sources with no history of reliability are used, due dili¬ 
gence requires asking and answering a set of appropriate questions. A short list of 
those questions includes the following: 

1. How factual is the information? Determining the accuracy of online infor¬ 
mation may not be easy. The Internets wide range of sources and purposes 
includes fantasy, games, social interaction, comedy, deliberately altered con¬ 
tent, controversial opinions, argumentation, religious zealotry, scientific 
controversy, and artistic expression, to name just a few. Media online and 
various organizations report results of surveys, opinion polls, and statistical 
trends that seem to change and vary and that have differing credibility. Even 
data-reporting measurements, time/date, and geospatial data can be skewed, 
falsified, or superseded by corrections not present in a posting. For example, 
some satellite map photographs might not provide recent, accurate, up-close, 
or clear views of the sites depicted. Some Wiki postings are deliberately 
slanted to manipulate the reader. Reports of events online are a good case in 
point. Web postings describing events involving civil disorders taking place 
in China, Iran, Burma, Venezuela, North Korea, and other media-controlled 
countries may lack the scope, accuracy, and verification expected from coun¬ 
tries with a free press. The usual intelligence and news media sourcing are 
unavailable, so analysts may have to rely on unverified eyewitness reports from 
Twitter, blogs, e-mails, posted videos, and so on. The inherently risky report¬ 
ing of events abroad becomes even more problematic when sources cannot be 
authenticated, facts verified, and potentially explosive content (e.g., bloody 
police-protester confrontations) put in context in a timely manner. Although 
the opportunity for almost anyone to post on the World Wide Web from 


Copyrighted material 



Tools , Techniques , and Training ■ 165 


anywhere has brought the world closer to us all, the need to derive consistent 
meanings from millions of voices is challenging. To determine the facts from 
Internet sources, analysts must consider the following related to the sources: 

■ Identity 

■ Bias 

■ History 

■ Sponsorship 

■ Closeness to the facts/events 

■ Expertise 

■ Potential to err 

■ Accuracy 

■ Timeliness 

The authoritativeness of the source is no guarantee of the factuality of 
events, observations, and items reported, but it can help address the accuracy, 
completeness, honesty, and intent of reports. The next logical test is whether 
other sources report the same things. Traps in multiple-source verifications 
include repeated reporting of the same individual sources data, which occurs 
when source specificity is absent. The media are especially inclined to pick 
up reporting from other publications and repeat an original report as their 
own, without verification. Sometimes, mere repetition leads to acceptance 
of a report as fact. Also, summaries of multiple reports, estimates, surveys, 
and projections can provide differing impressions, depending on timing and 
circumstances. Data completeness can clash with deadlines, and conclusions 
may differ as time goes on. So, while the ideal of multisource verification 
should be sought, each item should be judged on its own merits. 8 

2. What is the attribution of the posting? Did the subject really make the online 
“confession,” complete with video, for the world to see? Collectors should 
approach an online posting skeptically, as an artifact that can be analyzed for 
the likelihood that it is what it appears to be or may not be what it seems. If 
the posting contains facts, it may be necessary to verify them offline. A post 
we found had a photo of a wild-looking young man at a New Year’s Eve party 
with a caption something like “Joe on Meth.” Perhaps Joe was drunk or even 
on drugs, but the photo, which was tagged with Joe’s true name, apparently 
was posted by an anonymous “friend.” Fortunately, it was possible to iden¬ 
tify the friend from his user name, and clearly, interviews would be in order 
before attributing the use of drugs to Joe. Some clients would prefer not to 
pursue this kind of posting, but if Joe is addicted to drugs, he may not be a 
prime candidate for hiring or granting a clearance. 

3. How can the online data be verified? This is the classic intelligence dilemma 
because there may be only one source for an item that could cause an adverse 
judgment. In processing this type of information, the intelligence collector 


Copyrighted material 



166 ■ Cybervetting 


must look for separate reports and sources confirming the report and try to find 
other ways that the item can be verified. Sometimes, the Internet can provide 
evidence hiding in plain sight, as in the case of a subject with several reported 
instances of foreign travel to countries hostile to the United States, who had 
posted numerous photos of herself in various scenes at tourist sites in those 
countries. In a way, too much has been made about the parts of the Internet 
that cannot be trusted. Intelligence analysts do not seem to have great diffi¬ 
culties assessing supermarket tabloids as intrinsically different from the main¬ 
stream press, and experienced Internet analysts will also be able to weigh the 
credibility of online sources. As with all intelligence reporting, when an item 
may not be supported by independent evidence, there is a way to portray that 
information to the client while cautioning the client that it lacks verification. 

Reporting of Internet investigative results should be done to the same stan¬ 
dards required of reports from other sources. Topical headings can be used 
to organize the data into related groups. Each item should have a source cita¬ 
tion—the URL from which the item was taken. Where the item may be 
material to a decision, a copy of the web page should be captured (PDF for¬ 
mat preferred) and appended to the report. Examples of reports are included 
in Chapter 19. 


Quality Control 

To provide professional results, Internet intelligence collectors should draft reports 
that are reviewed prior to submission to the client. The reviewer and collector must 
develop and apply methods to ensure that the report of an Internet search is 

■ Accurate, that is, the search terms used are correct and the results are cap¬ 
tured in a forensically valid manner. In most cases, this means that spelling 
must be double-checked, and Web pages containing content of search results 
are captured. Digitally signing findings also ensures that the analyst can ver¬ 
ify that the image remains the same when reviewed later. Some utilities (e.g., 
programs that download web pages) normally date/time stamp the action 
for later verification. To be accurate, the contents of findings (e.g., names, 
places, dates, and descriptions) must be verified or at least be consistent with 
known facts. Items should be labeled or flagged if their content is actionable, 
comes from a unique source and remains unverified, or if there is doubt about 
accuracy, particularly if the item is derogatory in nature. The single greatest 
danger in using Internet intelligence is in accepting findings as fact without 
verification, which impugns the integrity of the report. 

■ Thorough, that is, as many logical search engines, sites, and potential sources 
of data on the topic as possible are queried for references. It is a common 


Copyrighted material 



Tools , Techniques, and Training ■ 167 


mistake for Internet searches to be conducted quickly and sloppily, omitting 
logical sources out of ignorance or laziness. Further searching on new terms, 
based on findings, can result in more and better results. If the search is part 
of an open-source intelligence collection process, the results will not be pro¬ 
fessional if the search is not comprehensive. Because Internet collection and 
analysis can be time consuming, there is an optimal balance in each situation 
between the time/labor available, research goals, and judging when “enough 
is enough.” But, certainly, Google alone is not enough. 

■ Timely, that is, contains up-to-date information, delivered within any 
required deadlines. Good analysts search, analyze, and report more rap¬ 
idly than others, but it is hard to say that any research is complete and final 
because there are so many different sources and, often, so many references 
to include or discount. A key danger in Internet intelligence searching and 
analysis is the compulsion to continue searching or stop prematurely. The 
analyst’s sense of when the process is as complete and accurate as possible is 
the art of the process. 

■ Fair, that is, includes references and details that have a high probability of 
being accurate and complete, without false references, major missing pieces, 
or subjective input from the analyst (including the analyst’s prejudice), and 
adherence to the standards set for the conduct of the process. People are 
rightly concerned about their personal privacy in the Internet age. However, 
individual subjects (and their acquaintances) publicly post a great deal of 
data of potential relevance to an Internet search for background vetting, 
due diligence, or the like. To be fair, a search report must not violate the 
Title VII discrimination standards (e.g., race, religion, national origin) and 
must respect the rights, including privacy rights, of subjects of inquiry. At 
this writing, fear of violating privacy rights or feelings of individuals is the single 
biggest reason why necessary Internet searching is officially avoided by some gov¬ 
ernment and business employers . 

In the intelligence community in the information age, the Internet provides 
just another type of open-source information—another INT, if you will (like 
HUMINT and SIGINT 9 ), perhaps WEBINT or CYBINT. 10 Incorporating 
online findings into all types of intelligence and investigative reporting should not 
pose difficult challenges and is already being done to a large extent. To the degree 
that specialization and further automation are required to derive the best possible 
information from WEBINT, there is progress being made. For background vetting 
and some types of investigations, additional policies and procedures are required 
to meet the same level of reliability as that found from other sources. The tools, 
techniques, and training, along with quality controls used, will determine success 
in adopting Internet searching as an added resource for collection. 


Copyrighted material 



Chapter 14 


Proper Procedures 
for Internet Searching 


Introduction 

Proper procedures are needed for Internet searching when an organization estab¬ 
lishes a policy for the use of intelligence gleaned from the Internet, such as for back¬ 
ground vetting, due diligence, competitive intelligence, and clearances. Practical 
methodology is covered in Section IV. This chapter is concerned with the strat¬ 
egy adopted by an agency or private entity for formal controls on the collection, 
analysis, and reporting of information from the Internet in compliance with man¬ 
agement policy, including security. Such controls became necessary because of the 
proliferation of sources of information accessible from the Internet and the wildly 
varying nature (quality, accuracy) of the data, as well as malware, online. If the 
Internet is used for collecting certain types of data, such as government records, 
scientific research citations, press accounts, or product descriptions, there is only 
limited concern about the attributes of that data (as set out in Chapter 13, such as 
verification). However, social networking, blogs, chat, and even posted videos and 
photographs have decidedly less reliability. One way of looking at the nature of data 
available over the Internet is to examine the disclaimers ever present on websites 
that essentially exempt the host from the necessity of vouching for the accuracy, 
completeness, and usability of the data presented. Such disclaimers speak to the 
expectation that the percentage of data with errors could be relatively high (or per¬ 
haps the website hosts do not trust computers). 


169 


Copyrighted material 


170 ■ Cybervetting 


Criteria 

As outlined in previous chapters, application of criteria for assessing the credibil¬ 
ity and value of information found on the Internet rests first with the collector and 
reviewer. When information is collected to support a decision-making process of con¬ 
sequence, the value, accuracy, and reliability of any source used must be considered. 
This is all the more important with Internet data. Each organization must decide for 
itself whether to have a policy and set procedural standards for using Internet sources, 
but among the areas where it is prudent to have such criteria are the following: 

■ Vetting individuals for hiring, employment decisions, clearances, and due 
diligence 

■ Vetting firms as suppliers and partners and for mergers and acquisitions 

■ Product and brand protection 

■ Competitive intelligence 

■ Enterprise security 

■ Criminal and administrative investigations 

A philosophical baseline analogous to the hearsay rule 1 applies to records based 
on Internet intelligence: If the source is a record created in the normal course of 
business, with a “business-grade” expectation of accuracy and reliability, then 
the information would normally be deemed credible. If the sources reliability is 
unknown, or the content is based on rumor, word of mouth, recollection, or a 
record created long after the fact, then additional verification will be needed before 
considering the information credible. The analogy is useful to an enterprise because 
when information rises to the level of intelligence or evidence (i.e., becomes the 
basis for a decision), it must meet higher standards. Ultimately, the question is: Will 
the finding be accepted by a court? Statistics are a good example of the dilemma 
facing the analyst because the old joke about lies, damn lies, and statistics often 
applies. The Internet can, for example, be a particularly useful tool to find different 
sources for statistical information on the same topic, so it stands to reason that a 
report can include numbers from various sources found on the Internet. The key to 
ensuring that such reports are reliable is that the data presented are up to the same 
standard, whether from the Internet or other sources. 

Based on the principles presented to this point, the procedures that should be 
considered for implementation by organizations for the types of Internet intelli¬ 
gence listed include the following: 

■ Establishing a cadre of trained, skilled Internet investigative analysts as part 
of the organizations security, research, legal, or personnel departments or as 
an independent entity, like a library, serving the whole enterprise 

■ Providing tools, training, policies, and procedures for the Internet analysts and 
ensuring that they are utilized when the Internet is exploited for decision support 


Copyrighted material 



Proper Procedures for Internet Searching ■ 171 


■ Subjecting reporting that includes Internet data to periodic ethical and ana¬ 
lytical review (i.e., audits) to ensure that the quality and reliability meet orga¬ 
nizational norms and comply with laws, regulations, and ethical guidelines 

If the organization decides to outsource Internet investigations (alone or as part 
of its strategy of background vetting, corporate intelligence collection, etc.), the 
same approach and standards as outlined should be required of the service pro¬ 
vider chosen. 

At the highest level of performance, it is also possible to set out the key require¬ 
ments that Internet analysts are expected to meet in their day-to-day functions, 
which include developing primary and alternative Internet sources along with cri¬ 
teria for credibility thereof; keeping up with Internet changes to add new sources 
when possible and replace those no longer useful; following the development of 
tools to make searching more efficient; monitoring legal decisions, statutes, ethical 
norms, and guidelines for the use of Internet data in specified areas (e.g., vetting); 
reviewing authorized use and privacy policies of specific source websites, such as 
social networking sites; and maintaining high ethical work standards. If an organi¬ 
zation treats Internet investigative analysts as a specialized group of professionals, 
their work product will support enterprise decision making. Without this kind of 
approach, it is possible that costly errors can arise from incomplete or flawed infor¬ 
mation found by inept googling in the normal course of business, and it is probable 
that such important decisions as hiring will be subject to charges of discrimination 
because random and unskilled searching and reporting by untrained individuals 
will seep into the hiring process and threaten its integrity. 

Organizations often avoid taking necessary steps toward progress until they are 
forced to invest the time and resources by events outside their control, including 
regulation and competition. In the case of Internet intelligence, a tipping point was 
reached at least 7 to 10 years ago, when the quantity, quality, and price of data on 
almost any subject became too great to ignore. The risk of inaccuracy and the skills 
needed to exploit the Internet efficiently have held back many firms, which often 
allow staff to use the Internet as they see fit. Professional researchers, including 
librarians, understand that the Internet is now an essential part of information col¬ 
lection and analysis on any topic. Law enforcement, intelligence analysts, corporate 
investigators, librarians, and researchers have similarly high standards for the reli¬ 
ability of sources. Provided that they have institutional support, such professionals 
can be trusted to exploit the Internet for all of their normal tasks. However, without 
such institutional support, they are left to their own devices and personal discretion 
in the handling of Internet information. Because of their experience and training, 
this type of professional analyst should have a role in establishing the procedures, if 
not also the policies, to be applied by enterprises in utilizing Internet data. 

A metaphor used previously for the Internet is a neighborhood where all the 
doors are screen doors. Because skilled investigators are able to look into the homes, 
past the screen doors, it is important to include ethics training with the legal training 


Copyrighted material 



174 ■ Cybervetting 


Because of malware and the possibility of downloading unwanted content dur¬ 
ing searching, those who intend to spend considerable time conducting Internet 
intelligence collection and analysis should consider the following approaches: 

■ Use a separate computer system for Internet searching. This might be a 
remote system (a “virtual workstation”). The analyst and system administra¬ 
tor should be prepared to rebuild the collection machine, if necessary, if it 
becomes debilitated by malicious code or content downloaded from searches. 
If damage occurs to the machine, at least the analysts and employer’s pri¬ 
mary systems are not impacted. A corollary is that because e-mail is often 
used for transmitting malicious code, users should consider separating the 
system used for e-mail from that used for the most sensitive personal and 
business data. 

■ Consider the right choices for browser, data capture, storage, and antivirus 
scanning. Because Internet Explorer from Microsoft is a prime target of mali¬ 
cious code writers, an alternative browser may reduce the vulnerability of 
infection. Other options include Firefox, Opera, Chrome, and Safari. 

■ Consider how to capture content. Because web pages are apt to change and 
there is no guarantee that a page will be cached or remain available, it is 
important to save an image of the page, which becomes part of the investiga¬ 
tive file and perhaps of the report. Options include copy and save into a docu¬ 
ment or spreadsheet, save as an HTML copy, capture an image of the screen 
(e.g., by a snipping tool like that of Microsoft), or print into a PDF document. 
Some documents or spreadsheets do not actually save “embedded” web con¬ 
tent, but rather save a link, so that a document might not be exactly what was 
composed if the Internet page changes. Using a PDF printed copy of the page 
does not guarantee an exact duplicate of the page’s appearance (because of the 
different ways that web pages are composed, including dynamic content), but 
most often, the text is captured accurately and the analyst can be sure that 
the saved PDF will retain its content indefinitely. In addition, the PDF copy 
can be digitally signed, providing verification that it is identical to the image 
originally captured. 

■ Consider how and where to store content. Files containing the results of 
Internet searches may contain sensitive and valuable data. Evidence, intelli¬ 
gence, and information of use in decision making should be stored in a secure, 
reliable manner, like other vital business data. Personally identifying informa¬ 
tion should be protected against unauthorized access and misuse. Stored data 
should be indexed to facilitate retrieval, secured to limit access and deny use 
to unauthorized parties (usually through encryption), auditable, and support 
chain of custody (should court use become necessary). Besides the potential 
need for retrieval for further processing, files may contain data of value in 
subsequent investigations (e.g., a background investigation on an associate 


Copyrighted material 



Copyrighted material 



Copyrighted material 



Chapter 15 

Preparation and Planning 


Introduction 

Planning is essential to success in all intelligence and investigative collection. 
Exploitation of the vast quantities of data on the Internet and accessible databases 
potentially relevant to any topic can be greatly enhanced by preparation. Some 
preliminary queries may substantially add to the searchers list of URLs (uniform 
resource locators) normally used for the type of subject being searched (e.g., people, 
businesses, brands), and some preparations should be done just before and during 
searching. 1 First, frame the question: What is known about the person, entity, or 
topic? Next, the search should be based on the following: 

■ Nature of the data needed: What is reportable? 

■ Purpose of the search (including potential uses of results) 

■ Best sources, including standard search engines and websites 

■ Geographical location 

■ Government jurisdiction(s) 

■ Resources available 

■ Time available (deadline) 

Alter deciding on an initial search strategy, keyword choices should be made. 
Keywords should include all logical and likely variations of the name, nicknames, 
user names, e-mail addresses, and other identifiers that potentially could appear 
in Internet postings and databases. Reverse directories can be consulted for co¬ 
inhabitants, significant others, and relatives. Sometimes, postings by people or 
entities close to a subject can include items containing important information 
about the person or entity of interest. It may be desirable to combine keywords 

179 


Copyrighted material 


180 ■ Cybervetting 


and use Boolean operators (and, not, or) to home in on the data specifically sought 
and perhaps find leads to further information. More about search strategy appears 
in this chapter, but it is important not to underestimate the value of preplanning. 

Databases available via the Internet include both paid and free resources, 
from both commercial and government sources. An initial consideration includes 
whether to use a subscription service (e.g., LexisNexis’s IRB, TLO, CLEAR) to 
find a profile of the subject based on such input as utilities, government and court 
records, real estate records, employment listings, licenses, credit data, and permits. 
One reason to consider this type of record check first is the rapidity with which 
it is possible to find a relatively reliable, detailed profile of a person or entity and 
confirm facts that will facilitate Internet searching, largely by allowing the analyst 
to eliminate references not identifiable with the subject using geography, age, and 
similar characteristics. 

One aspect of subscription services that should be borne in mind is that their 
records and source data used for their profiles contain errors, so important details 
provided should be verified. If a subscription service is not available, it is possible to 
use a pay-as-you-go online service, such as 

Intelius 2 
US Search 3 

InstantCheckMate.com 4 

PublicRecords360.com 5 

Please note that these examples are not being endorsed, and they represent 
only a lew of the seemingly large number of online database service providers that 
appear to be growing in numbers and service offerings. Most of these data brokers 
provide reports on a graduated price scale, so that a “complete background” with 
an arrest check could be $100, but determination or verification of address and 
telephone number might be $4.50. Understanding the reliability of the underlying 
source data is important for evaluating any data broker. For example, only 10-finger 
national checks done by the Federal Bureau of Investigation (FBI) and state police 
using their fingerprint files (or in some instances, DNA files) can provide relatively 
certain arrest and conviction checks. Even the best law enforcement and court 
records, however, contain incomplete, inaccurate, or otherwise unreliable content, 
largely because the input is missing or flawed because of resource limits. 6 

Depending on the purpose, deadline of the search, and the resources allocated 
to it, a decision should be made about whether to use a fee-based service at the 
beginning, or defer that choice until the end of an Internet collection project, if 
most of the information needed is on hand or if it is expected that the data will be 
available from free online sources. As with all investigations, identifiers are needed 
for accurate fee-based searches, such as full name, address, phone, date of birth, or 
Social Security/tax number. Comment : One does not have to be a licensed private 
investigator to use many fee-based online data providers—one only needs a credit 


Copyrighted material 



Preparation and Planning ■ 181 


card. Researchers who routinely access data brokers’ information as part of a paid 
service may be required to have private investigator licenses under many state and 
local laws. Because some data providers listed previously and others do not verify 
that online customers have licenses or any legitimate reason to collect information 
on people, it is possible that criminals or those with malicious intentions could 
amass a dossier on anyone. 

Internet vetting of people in support of employment background investigations 
can be the singular tasking of an analyst, and if so, the analyst should assemble a 
routine list of planned searches. However, when other types of investigations are 
conducted, the starting point may not be a detailed application or resume, but 
rather a few initial facts that may only include a telephone number, e-mail address, 
name, or nickname. In these types of cases, the search plan is fundamentally dif¬ 
ferent from repeated production of background facts. The analyst-investigator must 
use a series of searches to build the person s profile from whatever facts are available, 
and preparation must include a wide list of potential websites and sources that can 
help establish the identity of the subject and verify identifying information. 

Many people think that by using a major search engine (e.g., Google, Bing, or 
Ask) and querying a handful of popular websites (e.g., Facebook, Twitter), they will 
find all the relevant information needed. However, that approach will not provide a 
thorough search. Most competent Internet investigators have a list of favorite search 
engines, websites, and databases that they routinely include in collection, and they 
will recognize leads from references found and frequently find productive sources 
outside their normal URL list, based on experience and initiative. Because so many 
social and business networking sites create communities of relatives, friends, fellow 
employees, association members, and “birds of a feather,” it is often possible to find 
references to and even writings by a subject in postings under the profile of those 
close to him or her. Therefore, not only before the search begins but also as it is pro¬ 
gressing, experienced analysts will find and incorporate new search terms designed 
to unearth hidden references. Productive searches may be done on a combination 
of the subjects name and that of an associate, an attribute (e.g. “sales,” “poker,” 
“sailing”), an institution, or a profession. For example, one obtains different results 
by searching my name alone and by adding “FBI.” 

It is worth mentioning that true integration of Internet searching into the inves¬ 
tigative and intelligence processes means that when close associates of a subject are 
identified, solid leads for whom to interview as developed references will be found. 
Another important element in planning searches is to list websites where data may 
reside that have not been indexed by the major search engines and therefore may be 
part of the “invisible Web.” More is presented on that topic further in the chapter. 
Essentially, there are numerous databases accessible through Internet links that are 
not indexed by search engines. To find out if there are references to the subject in 
unindexed data, one needs to use the search interface provided on the host website to 
find stored information, rather than an Internet search engine. Government, univer¬ 
sity, library, private business, and media websites (to name just a few) provide access 


Copyrighted material 



182 ■ Cybervetting 


to databases that may contain substantial information about a search topic. For 
example, the current and archived stories of many news media sites can be searched 
online. Sometimes, there is a charge for accessing the full story behind a “hit” on 
the term searched (which may be presented in a brief excerpt). Often, an analyst 
must take care to conduct keyword searches in accordance with the database search 
protocol, which may differ from standard Google Boolean protocols. For example, 
the PACER (Public Access to Court Electronic Records) database of federal court 
records requires a search in the Last Name, First Name format. Dangers of this type 
of search include spending money to review and eliminate false positives and failure 
to find a record identifiable with the term searched. In any case, planning to include 
unindexed Internet content in searches is a necessary part of professional collection. 

Whatever the experience of the analyst, it is possible to start the search plan with 
a list of websites (URLs) where it is most likely that relevant references will be found. 
In manual searching, as well as in mapping out potential automated searches, having 
a list of URLs categorized by content is necessary to carry out comprehensive search 
plans. A great benefit of major search engines is that they can provide excellent lists 
of sites on which various types of data should be located. Planning a search should 
include a quick review of the types of sites where the subjects references will most 
likely be found. Among the sources and tools available (see Chapters 16 and 17) that 
may be cataloged for use in a search are the following: 

■ Directories 

■ Search engines (including metasearch engines) 

■ Specialized tools (archives, media, including news, video, audio, photos, music) 

■ Unindexed sites (e.g., invisible or dark Internet data) 

■ Private or proprietary sites 

In addition, sites containing blogs, social networking, government records, 
local news, associations, educational institutions, and similar content should be 
considered. Some of these websites may host substantial quantities of relevant but 
unindexed data or data indexed by a nickname unknown to the searcher. 

Although there is no substitute for training and experience, many people have 
taught themselves to be relatively competent Internet analysts by conducting many 
searches. Students often learn approaches to finding data on the web that elude oth¬ 
ers because of the academic disciplines available on campus and mentors, including 
librarians, instructors, and fellow students who freely share their methods to help 
each other succeed. 


The Library 

Many people may overlook a priceless resource that can save time and add expertise 
to any Internet search and could be a close ally of professional analysts—the library. 8 


Copyrighted material 



Preparation and Planning ■ 183 


Whether in a university library, company research unit, government library, county 
facility, or city library, the librarian has been trained to help the user find where 
to obtain the answers needed. Intelligence researchers often forget that outside the 
agency or company, almost any librarian is pledged to provide unbiased, confiden¬ 
tial assistance to help any client to find what he or she needs. Libraries not only 
contain volumes of data on any subject, but also today are apt to provide auto¬ 
mated indexes of publications, people, entities, and topics that can lead an analyst 
to the most authoritative and useful content on the topic sought. Because librar¬ 
ies subscribe to fee-based directories, indices, bibliographies, periodicals (including 
research publications), business profiles, and other sources, they are important 
sources to consider when planning a project. 

The Reference and User Services Association of the American Library 
Association defines reference transactions as “information consultations in which 
library staff recommend, interpret, evaluate and/or use information resources to 
help others meet particular information needs.” 9 Today’s library is likely to provide 
a website accessible to anyone on the Internet for general assistance and to library 
patrons with user credentials for specific services, possibly including access to sub¬ 
scription databases. Certain libraries provide helpful tutorials to assist in finding 
references on the Internet. For example, the Library of Congress has posted many 
excellent resources available over the web, such as an extensive list of online research 
resources at http://www.loc.gov/ (which includes search engines). The University 
of California at Berkeley posted a search engine tutorial at http://www.lib.berke- 
ley.edu/TeachingLib/Guides/Internet/SearchEngines.html. The three search engines 
Berkeley profiled are Google, Yahoo (which is another manifestation of Bing), and 
Exalead. The Humboldt State University Library has posted a tutorial on research 
strategy by topic at http://www.libguides.humboldt.edu/guides. A tutorial provid¬ 
ing frequently updated international search resources by Emeritus Prof. Wayne A. 
Selcher, PhD, of Elizabethtown College, 10 appears at http://www2.etown.edu/vl/ 
starter.html. dhese are examples of excellent resources readily available to anyone, 
including professional Internet researchers. 

A few hours’ reading of search tips (found by googling “Internet search tips” 
or similar terms) can provide a good primer for new analysts and can update expe¬ 
rienced searchers’ skills. Beginners in Internet searching may not be inclined to 
think of themselves as fledgling librarians, but in fact, they are asked to understand 
at least where to find the online directories and catalogs they may need to use for 
any type of search. Having library resources available may save much time and 
expense. When an investigator is starting the search for a new subject in a new 
area, the librarian can probably reduce the time needed to plan the collection by 
suggesting good places to start. Print and electronic copies of such reference works 
as telephone and crisscross directories, biographies, lists of publications, business 
profiles, medical resources, journals, legal references, obituaries (often a source for 
the living as well as the dead), government databases, and scientific resources are 
available through the library. The trend in publishing reference materials, including 


Copyrighted material 



Preparation and Planning ■ 187 


6. Bricn, Peter M., Improving Access to and Integrity of Criminal History Records, 
Bureau of Justice Statistics, US Department of Justice, July 2005, NCJ 200581, 
http://www.bjs.gov/content/pub/pdf/iaichr.pdf (accessed April 15, 2014). Neighly, 
Madeline and Emsellem, Maurice, Wanted: Accurate FBI Background Checks for 
Employment, National Employment Law Project, July 2013, http://www.nelp.org/ 
page/-/SCLP/2013/Report-Wanted-Accurate-FBI-Background-Checks-Employment. 
pdf?nocdn=l (accessed April 15, 2014). 

7. Sherman, Chris, and Price, Gary, The Invisible Web y Uncovering Information Sources 
Search Engines Can't See (Medford, NJ: Information Today, 2001). 

8. Cassell, Kay Ann, and Hiremath, Uma, Reference and Information Services in the 21st 
Century , An Introduction , 2nd edition (New York: Neal-Schuman, 2009). 

9. Ibid. 

10. Selcher, Dr. Wayne A., professor of international studies emeritus, Department of 
Political Science, Elizabethtown College, Elizabethtown, PA. 


Copyrighted material 



190 ■ Cybervetting 


documents, dhe analyst needs to look beyond the flash and find the facts, then 
capture the web page contents needed (at least the text containing the facts found). 

Fortunately for searchers, expertise in the Internets structural components is 
not needed for finding intelligence. However, it is important to remember that 
the programming behind everything we see on the web is responsible for how it is 
displayed, and we should capture content using appropriate tools to ensure profes¬ 
sional information collection and retention. Because the content of web pages can 
change frequently, it is imperative for an analyst/investigator to capture the report- 
able content properly at the time of the search. 

Every Internet page has a uniform resource locator (URL) address (i.e., what 
you see in the box at the top of the browser), which is translated by a Domain Name 
System (DNS) server into the correct Internet protocol (IP) address, to which the 
browser is directed. 5 Visiting an Internet page allows the browser to pull its content 
(via a stream of packets) into a computer and onto a screen that the user can peruse. 
Each link on which the user clicks takes the browser to a new web page. Before 
clicking on a link, the user must decide whether it is a likely source of useful infor¬ 
mation. As Internet information collectors become more familiar with sources, they 
initially assess the potential authority, accuracy, and reliability of references by the 
URLs of websites found in search tools. Further, it is often necessary to trace the 
authors and owners of websites to collect and analyze information and find leads on 
those hosting and posting on the Internet (more on that in Chapter 17). Therefore, 
it is important to understand the basics of URLs, IP addresses, and their roles. 6 

The many types of Internet content can be daunting to analysts, as it is neces¬ 
sary to find ways to identify, filter, capture, evaluate, and report the text, photos, 
videos, audio, and other content about a subject of interest. Generally, the content 
is in digital format, so it can be copied and filed by the investigator and digitally 
signed if necessary to preserve its integrity as evidence. 7 The systems and tools avail¬ 
able provide a solid start, but there is still no substitute for a trained, experienced, 
knowledgeable, and creative analyst who understands how to look for, find, assess, 
and report what is needed. Contrary to popular belief, there is no application—not 
even Google—that can easily find everything you seek. 


The Browser 

Using a computer s browser, 8 an analyst collects data from resources online and uti¬ 
lizes Google and other search engines to access websites. Professional investigators 
should become familiar with the functions of their browser when a search is con¬ 
ducted and may wish to experiment with different browsers to select the one most 
comfortable to use in searching. The popularity of browsers is measured differently 
by rival market organizations, and changes often, based on features favored by 
users. Besides Chrome (47% market share in some reckonings), Internet Explorer 
(25% market share), Firefox (about 20%), Safari, and Opera are popular browsers. 9 


Copyrighted material 



Search Techniques ■ 193 


accuracy of these estimates, Googles indexed pages represent only a fraction of the 
total number of pages available on the Internet. Of course, not all pages are suitable 
for indexing, such as those with dynamic content and those that are gateways to 
databases that Google cannot access or index. 

Inasmuch as Google is the habitual choice of most Internet researchers, 15 it is 
worthwhile for a user to become familiar with ways to obtain the best results from 
Google. Google tips and tricks (sometimes referred to as “Google hacks,” meaning 
specific ways to conduct advanced searches) are readily found and easy to under¬ 
stand and use and greatly improve results. 16 It is a good reminder to any researcher 
or analyst that it can be helpful to look at a search as a process in itself, which can 
be studied and improved to ensure the best results. A few minutes preparing to do 
the search in a cogent way pays big dividends in results. 

Getting to know the general ways in which search engines operate can be help¬ 
ful in evaluating the results and in further collection. Not all of a search engine’s 
indexed pages may be presented in search returns because the engine’s software may 
not include pages that are almost never visited. More searching may be required 
to find items that algorithms rank lower or that are not displayed in results. The 
subculture of advertising analysts and webmasters, who try to attract potential cus¬ 
tomers to websites and ads, carefully measures success in terms of the number of 
“hits” on sites, pages, and terms—page popularity. Search engines like Google, 
Bing, and Yahoo also measure the popularity of sites, pages, and terms but may 
elect not to index or present the least popular in search results. The analyst does 
not care how often a page was visited and is focused on finding all the substantively 
useful references to the subject. Therefore, the analyst should not assume that the 
search engine is prioritizing results in the most useful way for intelligence collection 
and analysis. 

Following are additional key attributes of the Google search: The combination 
of PageRank order of results and Boolean advanced searching with individual or 
multiple terms allows Google to deliver the most useful references for investigators. 
Special tools and features allow a focus on images, videos, maps, news, blogs, and 
so forth, and country-based searching, as well as topical searches (e.g., for busi¬ 
nesses in the United States, United Kingdom, or Canada). 

Translation of foreign language pages is available, although results are rough 
(i.e., ungrammatical and inaccurate in interpretation). Tracking and search prefer¬ 
ences allow analysts to use Google as an all-around, personalized intelligence col¬ 
lection platform, updating findings periodically. Cached pages allow access even 
if a page has recently changed. Google’s advanced search page allows a user to 
formulate single or multiterm search attempts without worrying about the precise 
Boolean query format. 

Besides Google, analysts should consider using other search engines to find 
additional references that are presented in a different order and may not appear in 
the first several hundred Google results. Google, Yahoo, Bing, and Ask together 
conduct over 97% of the searches on the Internet, as shown previously. It is useful 


Copyrighted material 



194 ■ Cybervetting 


to know these major engines (by popularity, volume of indexed pages, and potential 
to assist a searcher): 17 

Yahoo (yahoo.com) is reputed to have several billion pages indexed and currently 
a 10% share of searches conducted. Because of agreements with Microsoft, it 
appears that a Yahoo search actually employs the Bing search engine. Yahoo 
search ranks by keyword density and integrates its directories and other ser¬ 
vices (which are similar to Google s) well with searching. Boolean search pro¬ 
tocols are much like Google s. 18 

Bing, a Microsoft service, 19 has updated its search engine (since June 2009 called 
a “decision engine”) and in midsummer of 2009 agreed to power Yahoo! 
Search. Bings market share was recently over 18%. Bing includes seman¬ 
tic technology from Powerset (purchased in 2008), which reportedly allows 
results to include related searches to help users find information. Images, 
video, local, news, and product searches supplement web-wide searching, and 
services such as translation and mapping compete with Googles. Despite 
back-end updates and integration with social networking sites, Bing has 
lagged behind Google s market share. 20 

Ask.com, which finds answers to questions by searching its database, 21 was 
reputed to have over 2 billion pages indexed and conducted just over 
3% of searches in March 2010, but currently conducts about 2.4%. Ask 
reportedly ranked results by ExpertRank, the number of the same subject 
pages that reference a site. Refinement of search results through filters, 
suggestions, and editorial comments is its unique feature, including an 
attempt to allow users to phrase questions in “natural language,” as well 
as keywords. 22 

AOL search (now powered by Google), which owns MapQuest, enhances 
Googles search engine results with its own additions and conducts only 
about 1.3% of searches. 

Other search engines include AltaVista, which is powered by Yahoo, as is Fast 
(AlltheWeb.com). Gigablast claims to do “real-time spidering.” Netscape 
search is powered by Google. Snap.com is powered in part by Gigablast, 
Smarter.com, SimplyHired.com, and XI Technologies and enhanced by 
Ask.com. 23 Th ese search engines may not rank highest in number of searches 
conducted, pages indexed, market share, or elegance of presentation, but all 
have enjoyed a following because of their success in finding what a large num¬ 
ber of people were seeking. At this writing, it is obvious that consolidation 
has reduced the choices of search engines, legacy offerings are disappearing, 
and the trend is toward the top four. 

The choice of the search engines listed should not be interpreted as a rejection 
of others, such as Lycos.com, Mama.com, and Exalead.com (and there are others). 24 
These other search engines may not provide any more or better results than the 


Copyrighted material 



196 ■ Cybervetting 


Search Terms 

Even the best search engines depend on apt choices of search terms entered in the 
appropriate manner. The default operation of most search engines is to look for all 
and each of the words entered in the search box. A search for John Doe in Google 
produces references to John Doe, John (alone), and Doe (alone). Todays search 
engines use sophisticated algorithms to interpret a users request, including cor¬ 
recting spelling, finding similar topics, and incorporating commercials into search 
results. Although that is useful in many circumstances, results can be inundated 
with irrelevant references that the search engines algorithms included based on 
their own criteria. To search an exact word or phrase, a Boolean expression or 
advanced search must be used. This is important because searches for John Doe and 
“John Doe” produce quite different results. For some inquiries, searching both ways 
is appropriate. Following are some suggestions for search term selection: 

Use variations of names to capture all relevant references. For example, John 
James Doe can also be searched as John J. Doe, John Doe, Jack Doe, JJ Doe, 
and Doe, John. It can be helpful to include a discriminator (place, employer, 
school, activity, date) to find the right John Doe and to yield results that are 
more useful, such as John Doe Dallas, John Doe Texas A&M, John Doe 
Texas Instruments, or John Doe pilot. Knowing and using such discrimina¬ 
tors can be especially helpful when searching a common name and when 
looking for a particular set of references. If a Boolean operator like AND is 
the default, as in Google, simply adding the term in the search box works. If 
not, use the advanced search feature. 

Eliminate references not identifiable with the subject of the search. Perhaps John 
Doe the Cleveland sports star, who is not identifiable with the subject, has 
dozens of references in the first few pages of results. By using Boolean queries, 
one could eliminate the Cleveland Doe (e.g., by using the Boolean NOT query, 
searching John Doe -Cleveland or -Indians in Google). The single biggest prob¬ 
lem with the search engines is that they provide many references that are not 
useful, even though the results literally match the search term. Finding ways to 
help the search engine focus on the subject of interest will provide better results. 

Find Internet sites that may have information about the subject not indexed 
by search engines. If you find a reference to Texas A&M in your John Doe 
search, try the Texas A&M site, alumni organizations, professional organiza¬ 
tions in the subjects field, and the local or campus newspapers, TV channels, 
and news publications in College Station, Texas. Such websites may indeed 
have data on Doe that has not been accessible to search engines’ indexing. 
Such references may reside in databases that can easily be searched by going 
to the website and using its built-in search engine. Even if that website’s inter¬ 
nal search engine is Google, the data residing on servers accessible through 
the site may not be available to the Internet Google servers. 


Copyrighted material 



198 ■ Cybervetting 


content on these sites can change frequently. Rapid growth continued for almost all 
social sites in the past 5 years, including adoption of mobile versions for cell phone 
access. Growth in Internet use into 2014 included nearly universal use and longer 
times on social networking sites and a shift from MySpace (the previous favorite) to 
Facebook (now by far the favorite). Recent statistics from a study by Pew 29 showed 

■ 71% of online adults use Facebook 

■ 18% of online adults use Twitter 

■ 17% use Instagram 

■ 21% use Pinterest 

■ 22% use Linkedln 

Recent 2014 statistics from eBiz MBA 30 ranked the top 15 social networking 
sites and users: 

1. Facebook, over 900 million 

2. Twitter, 310 million 

3. Linkedln, 250 million 

4. Pinterest, 150 million 

5. Google+, 120 million 

6. Tumblr, 110 million 

7. Instagram, 85 million 

8. VK, 80 million 

9. Flickr, 65 million 

10. MySpace, 40 million 

11. Tagged, 38 million 

12. Ask.fm, 37 million 

13. Meetup, 35 million 

14. MeetMe, 10.5 million 

15. ClassMates, 10 million 

Users sign in using an e-mail address and password, some pick a nickname, and 
they have multiple ways to share and post information, varying levels of privacy 
settings, and a favored group of friends. True name searches can lead to Facebook 
profiles, whether conducted via Google or the Facebook website (because Facebook 
makes it easy to find and connect with friends and friends of friends). To see more 
than the public profile, one must sign in to Facebook (membership is free). Facebook 
also offers applications and features that facilitate sharing a variety of interests, from 
short notes to photos to links and other content. Facebook s authorized use policy 
(AUP) 31 states in part that a user will not employ an automated system to collect 
other users’ information without permission, will not post false personal informa¬ 
tion or create a false profile, and will obtain consent from users whose information 
is collected. An investigator can see the parts of a user’s Facebook profile that the 


Copyrighted material 



Search Techniques ■ 199 


user has decided will be displayed to the public (i.e., not limited to exposure only 
within a chosen circle of friends). Whether it might be considered a violation of 
the Facebook terms for an investigator to collect posted information without the 
consent of the user remains an unanswered question. A public profile that can be 
viewed without logging on to Facebook carries no privacy protection, and a profile 
accessible when signed on may be available to 900 million people (a number almost 
three times the US population—hardly what could be called “privacy protected”). 

Professional Internet searching cannot be contemplated today without includ¬ 
ing social network sites. Some companies offer commercial services providing the 
content of social networking sites about persons, labeling their service as cyber¬ 
vetting. Publicity about several companies’ services suggests that about 35 social 
networking sites are included in systematic automated collection for these services. 
Based on research for this book, it appears that a wealth of information may be 
available about a person from social networking sites. However, there are many 
other types of websites and databases accessible on the Internet that could also pro¬ 
vide valuable information about people and other topics. Restricting cybervetting 
collection to a limited number of social network sites omits not only those social 
network sites not chosen but also a vast range of other online data sources. 

YouTube (a Google property) hosts videos and currently holds massive numbers 
of postings, while serving millions of daily users uploading and viewing videos. 
The size of hosted content can be illustrated by a 2008 court case 32 in which a 
judge reportedly ordered YouTube to turn over about 12 terabytes of data docu¬ 
menting users’ viewing habits to Viacom, which sued YouTube over unauthorized 
display of copyrighted materials, including 150,000 clips that had been viewed 
1.5 billion times. Although videos can be an important source of information and 
documentation of misbehavior, they are currently searched by keyword, title, or the 
poster’s identity (usually a nickname) and not by matching video content, such as 
a facial image. 

MySpace, formerly the largest social networking site, still hosts about 10 mil¬ 
lion monthly US visitors. 33 True name searches will find MySpace hits, but most 
MySpace users’ profiles have nicknames. Nicknames can be handy for finding other 
Internet postings by the same person (i.e., by searching the nickname or e-mail 
address), but investigators must be careful because there are some popular nick¬ 
names used by several or even many people. MySpace links users with friends and 
their profiles; has blogs, photos, and videos; and specializes in music and entertain¬ 
ment choices. Bands, musicians, and performers have MySpace promotional pro¬ 
files. MySpace privacy and use policies 34 say that neither members nor visitors may 
employ users’ content without permission, whether posted publicly or for a limited 
audience through privacy filters. However, free membership, most members’ choice 
to display their content publicly, and indexing through search engines all mean that 
users should have no reasonable privacy expectations. 

Twitter is the largest “microblogging platform,” with over 645 million regis¬ 
tered and 115 million monthly users (according to some research), 33 with 58 million 


Copyrighted material 



200 ■ Cybervetting 


daily tweets, and reportedly receives 43% of its traffic from phones and 60% from 
third parties (social networking sites). About 40% of Twitter users look but do not 
tweet. Despite the limitation of 140 characters of text and public nature of tweets, 
people share some remarkably personal and revealing postings, including unflat¬ 
tering behaviors and statements. The Library of Congress is reportedly archiving 
all public tweets. Some advertisers and database services providers track tweets for 
such information as trends, marketing preferences, and security indicators, and 
some law enforcement and intelligence agencies analyze tweets for near-real-time 
threat and intelligence information. 

Linkedln, a business networking site, in March 2014 had about 50 million 
users, 36 with over 245 million visits and over a billion page views. Linkedln profiles 
are written and posted by members (unlike most of those on sites like Zoomlnfo. 
com and Plaxo.com, which harvest links and establish sometimes error-prone pro¬ 
files using automation as well as subscriber input). Linkedln provides a number of 
services to subscribers, such as sharing contact information and photos of members, 
displaying resumes, finding marketing and business opportunities, and staying in 
touch with old colleagues. Analysts should carefully verify details of items that 
users post, but because they are the best source of their own background informa¬ 
tion and may depend on Linkedln to find opportunities, there is logical support 
for the authoritative nature of profiles. Linkedln profiles can be useful when little 
is known about a subject and more education and work history are needed as start¬ 
ing points. Like a resume or application, the Linkedln profile requires verification. 

Professional investigators are well advised to keep up with less-popular social 
networking sites that may also provide information; this includes those listed in the 
top 15 social networking sites. The popularity of such sites is apt to evolve as 
the social networking marketplace changes. One of the trends visible in recent 
years is the posting of photos, videos, and other content “in the Cloud,” accessible 
to users on multiple devices. Publicly accessible data indexed by search engines may 
contain valuable cloud-based data for investigators. 

A separate category of popular social networking websites concentrates on find¬ 
ing mates, significant others, dates, and sexual partners; some of these sites have 
millions of subscribers. 37 These include Match.com (35 million estimated monthly 
users), PlentyofFish (23 million monthly users), Zoosk (11.5 million monthly 
visitors), OkCupid (10.2 million monthly visitors), and eHarmony (7.1 million 
monthly visitors). Many different types of dating and friendship websites exist 
for niche groups, including ones based on religion; sexual orientation; ethnicity; 
national origin; international affairs (“Russian women,” “Asian women”); biracial 
dating; wealth; and activity preferences. The AshleyMadison.com trademark is 
“Life is short. Have an affair” and describes a type of activity that has enough of a 
following online to warrant investigators’ interest. Most of these specialized social 
networking sites charge fees and require registration, and some claim to allow only 
those approved to become members. Many dating sites appear to cater to those 
seeking PG-rated social experiences; others offer an X-rated approach. Generally, 


Copyrighted material 



Search Techniques ■ 201 


subjects who subscribe to dating websites do not use their true names, and their 
user names do not appear in search engine results. 

As might be expected on the Internet, which still produces high profits for porn 
sites, there are quite a few websites that are focused on sex, porn, and “hookups” 
between people, both straight and gay. Most of these sites require membership and 
charge fees; many generate spam, display false but enticing offers, include explicit 
content on their pages and in subscriber communications unsuitable for most 
workplaces, display online porn offers, and even act as hubs for identity theft and 
malware distribution. 38 The home page of the adult type of site often contains views 
of nudity, sex acts, alternative lifestyles (e.g., bondage and discipline, fetishes, group 
sex), and other potentially controversial content. Display of such images and audio 
could be considered offensive and create a hostile work environment under Title 
VII of the Civil Rights Act. Often, porn/adult websites seem to have an uncanny 
ability to see the browser user’s location, as they display come-ons and pop-up ads 
featuring scantily clad or nude people tagged with a town near the user (matched 
through the IP address from the browser). Some porn sites generate cookies and 
open new browser windows with explicit content. Among the porn-social sites 
are AdultFriendFinder.com, XTube.com, Fling.com, WildMatch.com, even some 
links found on Craigslist.org, and many more. Some claim to be adult sex classified 
advertising. Some have been widely criticized (e.g., AdultFriendFinder) for fraudu¬ 
lent postings and links. Analysts need to consider whether to use a proxy server 
in accessing such sites (to shield the origin of the inquiry and protect the analyst’s 
computer from malicious code and advertising from the porn sites). Registered users 
on adult sites use nicknames and postings that are not generally indexed by search 
engines unless they are also listed elsewhere online. Because adult sites may be ven¬ 
ues for misbehavior, such as violating a company’s authorized computer use policy, 
an investigator may need to sign up to search for a subject on a particular site. 

Another category of website espouses or supports causes, advocacy, protests, 
and charitable fund-raising online, like Care2.com (which claims over 25.4 mil¬ 
lion members); Meetup.com (which hosts many different types of sites of affinity 
groups, causes, and protest groups); and Indymedia.org (which publishes stories 
and announcements about protesters’ causes). Intelligence collectors may need to 
focus on this type of site if civil disobedience, vandalism, or violence is threat¬ 
ened against a person or entity. Examples of protest groups that have engaged in 
illicit activities and have been accused of terrorist, animal rights, or eco-terrorist 
acts, include animal rights groups (e.g., WAROnline.org, SHAC.net, Animal 
Liberation Front at animalliberationpressoffice.org and animanliberationfront. 
com, DirectAction.info, People for the Ethical Treatment of Animals at PETA.org 
and StopAnimaHests.com) and environmental rights (Earth-Liberation-Front.org, 
OriginalELF.com, Protest.net). Other activism is focused on such causes as peace, 
antinuclear weapons/energy, anticorporate/World Bank/International Monetary 
Fund, communist, socialist, Maoist, Islamist, Neo-Nazi, white supremacist, gun 
rights, militias, and many other groups. Not all such causes, or their websites, 


Copyrighted material 



202 ■ Cybervetting 


espouse illegal activities to achieve their aims. However, planned activities such 
as demonstrations can include open invitations to individuals or groups that may 
engage in dangerous and illegal activities threatening business and government. 

Some websites belong to organizations advocating for rights, such as pri¬ 
vacy advocates like Electronic Frontier Foundation (eflF.org), Electronic Privacy 
Information Center (epic.org), and Center for Democracy and Technology 
(cdt.org). There are many others, of course, including political parties’ websites 
and their support groups, as well as think tanks, major nonprofits, and other non¬ 
governmental and nonprofit organizations. Although many pages of these sites are 
indexed, it may be necessary to search them directly to access documents referring 
to a subject that appear only in unindexed databases on the sites. 


E-Commerce Sites 

Certain e-commerce (online sales) websites have become so popular that they have 
captured vast audiences of Internet users from print and broadcast media, catalog/ 
telephone sales, and retail outlets. Of course, the major retailers like Wal-Mart, 
Sears/Kmart/Land’s End, Costco, Target, Macy’s, Nordstrom, and so on, all have 
useful online sales sites. In addition, some major corporations, particularly high-tech 
firms, have mastered Internet marketing of their products, such as Cisco, Dell, HP, 
Microsoft, Intuit (QuickBooks and TurboTax), Adobe, and others, many of which 
conduct the bulk of their sales online. Some pages of commercial websites may be 
indexed, but in a thorough search, it may be important to include a query on these 
websites: eBay and its companion site PayPal are the quintessential classified sales and 
payment processors on the US Internet. Many businesses have been built around their 
services, which include a measure of anonymity for users. Nicknames of users may be 
based on e-mail addresses or user names appearing in other places. Finding an eBay 
account may allow an analyst to detect activities such as selling items deemed inap¬ 
propriate (e.g., items apparently from work, like the individual we once found who 
was selling T-shirts and memorabilia from the TV show where he was a technician 
or the girlfriend of a manufacturing company employee found selling items from her 
boyfriend’s factory that had not yet been placed on sale to the public). Although eBay’s 
AUP does not allow illicit sales, it has powerful legal and security staffs who help law 
enforcement deal with persistent attempts to sell stolen, contraband, and improperly 
offered merchandise and sellers who take money without providing products they 
offer. PayPal has grown to offer commercial and credit card as well as small-scale per¬ 
sonal payments. Most PayPal accounts link to a user’s credit card or bank account as 
their foundational funding source. PayPal members can “bill” each other or outsiders 
with an e-mail that facilitates a transaction over PayPal. Investigators frequently must 
conduct a transaction to elicit identifying information about an eBay or PayPal user. 

Skype, a company founded by Estonian technologists, was bought and subse¬ 
quently sold off by eBay, acquired by Microsoft in 2011, and is an example of an 


Copyrighted material 



Search Techniques ■ 203 


Internet service offering communications capabilities to anyone with an Internet 
connection and host device. Skype is a massive peer-to-peer telecommunications 
network, offering free software, free computer-to-computer and Internet-to-phone 
telephone calls, video teleconferencing, instant messaging, and a degree of privacy. 
The privacy comes from the fact that packets sent from Skype software carrying 
voice or data travel over the Internet through other Skype users’ computers, and 
the packets themselves are privacy protected. "Ihis makes interception of Skype 
communications through a host’s routers difficult, if not impossible, and even if 
the packet stream is intercepted, it may not be comprehensible. Skype users employ 
nicknames as well as true names for accounts. Skype also offers low-cost telecom¬ 
munications services, both nationally and internationally, that connect with wire- 
line and wireless telecommunications carriers. Reverse directories do not usually 
list the subscribers to Skype telephone numbers. Some spam and automated solici¬ 
tations slip past Skype’s filters. Because the user chooses the area code of a Skype- 
issued telephone number, it may not be an indication of the subscriber’s actual place 
of residence. 

Craigslist is a large, online, localized, free classified advertising service that 
allows postings in a variety of types of listings clustered in regional geographical 
areas. Many types of resale personal items, notices, and service offerings appear on 
craigslist. Like eBay, some illicit activities (such as prostitution and sale of contra¬ 
band) may be detectable on craigslist. Users communicate through an anonymiz¬ 
ing e-mail relay interface or post their own e-mail address or telephone number. 

Amazon is a large Internet bookstore that has become a one-stop shopping 
website for media and all sorts of products, with some social networking features, 
hosting for client servers, and a commercial networking site. Using their account 
log-on, patrons can rate a book, publication, or other products, tagging such post¬ 
ings with a true name or nickname. Some users post frequently, providing insight 
into their views, reading/shopping habits, and personalities. Amazon’s Kindle is an 
example of an electronic reader-turned-tablet computer that has an Internet con¬ 
nection and allows a variety of activities with published materials. Other e-book 
readers and tablets available from Sony, Apple, Barnes &C Noble, and so on enable 
a variety of reading and computing options and Internet communications, some of 
which are hosted as well on smart cell phones and larger platforms. Based on the 
popularity of its iPhone, Apple (and its imitators) offers many types of networking 
applications on a cell-based Internet platform and on iPads and iPods that lead the 
way in continued evolution in networking for entertainment and communications, 
as well as other functions. Among these are geolocation-based services that allow 
users to connect, communicate, or query based on where they are. Fierce competi¬ 
tion is ongoing from many cell phone and device manufacturers. Because multiple 
types of Internet-based services and social networking are meshed in these plat¬ 
forms, searchers should anticipate that further development of these devices will 
continue to provide opportunities for intelligence for their users. 


Copyrighted material 



Search Techniques ■ 205 


Blogs 

Weblogs or “blogs” have evolved from commercial and personal online publish¬ 
ing and social chat functions. Blog sites (e.g., Huffington Post, BuzzFeed, Blogger, 
Wordpress) encourage readers to comment on postings, write their own publica¬ 
tions, follow topics and writers of choice online, and create new expressions of art, 
knowledge, guidance, commentary, news, formal and informal communications, 
and interest group notifications (among others). Blogs are so numerous (over 181 
million online in 2012, according to Nielsen) 39 that in almost any specialty area, 
it is difficult to keep up with their comings and goings and the fora influential on 
the topics discussed. Those writing blogs (over one-third of whom are housewives, 
according to Nielsen) and commenting on them often use pseudonyms or nick¬ 
names that must be searched to find what is published and must be matched with 
true identities. Blogs are often offered free hosting and software to help bloggers 
create essentially their own websites, which are sometimes refereed and sometimes 
unmonitored. Rants, comments, and postings can at times become crude and con¬ 
troversial. Almost any contentious issue will appear in the blogosphere. Finding 
postings by a subject can reveal strong personal feelings, demonstrate writing abil¬ 
ity, and illustrate a subjects maturity, judgment, and discretion (or lack thereof). 

Keyword searching for blog postings is facilitated by websites 40 such as the 
following: 

■ BlogSearch.google.com is Google’s all-around blog search engine, offering 
e-mail alerts, a “blog search gadget” for a Google home page, and a blog 
search feed in Google reader. 

■ IceRocket at http://www.icerocket.com/ provides blog and web searching and 
tracking and other tools and includes Twitter and MySpace in its searches. 

■ Technorati.com provides blog-searching tools and tracks the top 100 bloggers. 

■ BlogPulse at http://www.blogpulse.com/ was a Nielsen property that allowed 
blog searches until 2012. 

Chat 

Online chat rooms are nothing more than websites that allow users to type in 
text messages, monitor others’ exchanges (“lurk”), and follow specific topics, gen¬ 
eral areas of interest, or whatever users decide to post. Most chat content is not 
indexed or archived, but users can decide to copy and save dialogues, forward 
them, and quote them at will. There is no expectation of privacy in chat rooms, 
but each chat room has its own rules about participation, expected behaviors, and 
privacy, which are strictest for sites designed for teens and children. Usually, even 
in the strictest of chat rooms, the only penalty for violating such rules is expul¬ 
sion. Many chats are monitored (censored), but many are not. Today’s chat evolved 
from Internet Relay Chat (IRC), which developed before the modern Internet as 


Copyrighted material 



206 ■ Cybervetting 


a method for researchers using networked systems to exchange messages and dis¬ 
cuss ideas. 41 IRC channels exist among groups of users who consider themselves 
different from the great mass of Internet users. Among those still using IRC are 
computer programmers, hackers/crackers, peer-to-peer network relay aficionados, 
adult/porn sites (e.g., live video with text), gangs and criminal groups, as well as 
many types of innocent users. 

Webcams, cell phones, and other devices allow multiple group connections for 
chats within simultaneous chats. Some chats include voice exchanges, in either 
large or small groups. It appears that, generally, legacy forms of chat are giving 
way to other methods of online brief communications, including instant mes¬ 
saging (which can spontaneously connect two or more participants), conference 
calling, and Twitter. Investigators may find themselves in chat rooms in such cir¬ 
cumstances as monitoring adults seeking to lure children into sexual activities or 
tracing illicit activities involving hardware, software, movies, videos, and music. In 
such cases, capturing the content of chat is important, and searching for keywords 
may not be possible outside the website. Chat room users may choose an identifier 
unique to the site or use an online ID established already. Examples of popular 
chat rooms, 42 some free and some fee based, some requiring software for advanced 
features, are AOL chat, which also offers texting and video calling, Babel.com, 
Talkcity.com (now part of Delphi Forums at http://www.delphiforums.com/chat. 
ptt), ICQ (http://www.icq.com/en), PalTalk.com, ShoutMix.com, and TeenChat. 
com. Many others specialize in dating, flirting, matchmaking, affinity groups, 
nationalities, and multiple services like those offered by Yahoo and AOL. 

Additional search tools and strategies appear in the next chapter. 


Notes 

1. Internet World Stats, http://www.internetworldstats.com/stats7.htm (accessed 
April 15, 2014). 

2. HTML introduction, http://www.w3schools.com/html/html_intro.asp (accessed 
April 16, 2014). 

3. Oracle, http://www.java.com/en/ (accessed April 15, 2014). 

4. Adobe, www.adobe.com/products/flash.html (accessed April 15, 2014). 

5. InterNIC Domain Name System tutorial, http://www.internic.net/faqs/authoritative- 
dns.html (accessed April 15, 2014). 

6. IP address tutorial, http://computer.howstuffworks.com/internet/basics/question549. 
htm (accessed April 15, 2014); network packet structure tutorial, http://computer. 
howstuffworks.com/question525.htm (accessed April 15, 2014). 

7. Digital signature (and digital certificate, public key infrastructure) defined, http:// 
searchsecurity.techtarget.com/definition/digital-signature (accessed April 15, 2014). 

8. Browser definition, http://www.webopedia.eom/TERM/B/browser.html (accessed 
April 15, 2014). 


Copyrighted material 



Search Techniques ■ 207 


9. ZDNet report of NetMarketShare statistics, March 2014, http://www.zdnet.com/ 
browser-trench-warfare-early-20l4-report-7000027099/ and http://en.wikipedia.org/ 
wiki/Usage_share_of_web_browsers (accessed April 15, 2014). 

10. Malicious code (National Institute of Standards and Technology [NIST] definition), 

http://csrc.nist.gov/publications/nistir/threats/section3_3.html (accessed April 17, 
2014). Help Net Security report on malware on higher educational networks, 
http://www.net-security.org/secworld.php?id=l 5802 (accessed April 17, 2014). 

Security Engineering Research Team Quarterly Threat Intelligence Report, Q4 2013, 
Solutionary, http://www.solutionary.com/_assets/pdf/research/sert-q4—2013-threat- 
intelligence.pdl (acceSvSed April 17, 2014). 

11. comScore Releases February 2014 US Search Engine Rankings, March 18, 2014, 
https://www.comscore.com/Insights/Press_Releases/2014/3/comScore_Releases_ 
February_20l4_U.S._Search_Engine_Rankings (accessed April 17, 2014). 

12. Inside Search, Google, https://www.google.com/insidesearch/howsearchworks/ 
(accessed April 17, 2014); How Google Works, http://www.googleguide.com/google_ 
works.html (accessed April 17, 2014). 

13. Koetsier, John, How Google Searches 30 Trillion Web Pages, 100 Billion Times a 
Month, March 1, 2013, VB News , http://venturebeat.com/2013/03/01/how-google- 
searches-30-trillion-wcb-pages-100-billion-times-a-month/ (accessed April 17, 2014). 

14. Internet Live Stats, http://www.internetlivestats.com/total-number-of-websites/ 
(accessed April 17, 2014). 

15. comScore Releases February 2014. 

16. https://support.google.com/websearch/answer/35890 (accessed April 17, 2014). 

17. Harry, David, How Search Engines Rank Web Pages, September 2013, Search Engine 
Watch, http://searchenginewatch.com/article/2064539/How-Search-Engines-Rank- 
Web-Pages (accessed April 17, 2014). 

18. See https://help.yahoo.com/kb/index?page=answers&startover=y&y=PROD&source= 
home.landing_search&docale=en_US&:question_box=web%20search (accessed 
April 17, 2014). 

19. See http://onlinehelp.microsoft.com/en-us/bing/ff80841 5.aspx (accessed April 17, 
2014). 

20. See http://en.wikipedia.org/wiki/Bing_(search_engine) (accessed April 17, 2014). 

21. See http://www.ask.com/web?q = how+ask+works&qsrc = 3646£o = 0&d = dir&qo = 
homepageSearchBox (accessed April 17, 2014). 

22. About Ask.com, http://about.ask.com/en/docs/about/index.shtml (accessed 
August 21, 2010). 

23. Descriptions are from the search engines themselves. Prescott, Lee Ann, Social 
Networking by the Numbers, principal, Research-Write, December 2009, http://www. 
slideshare.net/laprescott/social-networking-by-the-numbersdecember-2009 (accessed 
April 10, 2010). 

24. See http://www.thesearchenginelist.com/ (accessed April 17, 2014). 

25. Sherman, Chris, Metacrawlers and Metasearch Engines, Search Engine Watch, 
March 23, 2005, http://searchenginewatch.com/215624l (accessed April 17, 2014); 
UC Berkeley, Meta Search Engines, http://www.lib.berkeley.edu/TeachingLib/Guides/ 
Internet/MetaSearch.html (accessed April 17, 2014); Wikipedia, http://en.wikipedia. 
org/wiki/Metasearch_engine (accessed April 17, 2014). 

26. http://www.dogpile.com/support/Faqs (accessed April 17, 2014). 


Copyrighted material 



208 ■ Cybervetting 


27. Boswell, Wendy, Clusty, http://websearch.about.eom/od/enginesanddirectories/a/ 
clusty.htm (accessed April 17, 2014). 

28. About.com on Mamma, http://websearch.about.eom/od/metasearchengines/a/ 
mamma.htm (accessed April 17, 2014). 

29. Social Networking Fact Sheet, Pew Internet and American Life Project, September 
2013, http://www.pewinternet.org/fact-sheets/social-networking-fact-sheet/ (accessed 

April 17, 2014). 

30. http://www.ebizmba.com/articles/social-networking-websites (accessed April 17, 
2014). 

31. https://www.facebook.com/legal/terms (accessed April 17, 2014). 

32. Helft, Miguel, Google Told to Turn Over User Data of YouTube, New York Times , 
July 4, 2008. 

33. Quantcast April 2014 statistics, https://www.quantcast.com/myspace.com (accessed 
April 17, 2014). 

34. MySpace Terms, https://myspace.com/pages/terms (accessed April 17, 2014). 

35. Statistic Brain, January 2014, http://www.statisticbrain.com/twitter-statistics/ 
(accessed April 17, 2014). 

36. Quantcast, March 2014, https://www.quantcast.com/linkedin.com?country=US 
(accessed April 17, 2014). 

37. eBiz MBA April 2014, http://www.ebizmba.com/articles/dating-wcbsites (accessed 
April 17, 2014). 

38. Pepitone, Julianne, Porn Dethroned as Top Source of Mobile Malware, NBC News , 
March 2014, http://www.nbcnews.com/tech/security/porn-dethroned-top-source- 
mobile- malware-n44371 (accessed April 17, 2014). 

39. http://www.nielsen.com/us/en/newswire/201 2/buzz-in-the-blogosphere-millions- 
more-bloggers-and-blog-readers.html (accessed April 17, 2014). 

40. Descriptions were obtained from the websites themselves. 

41. IRC descriptions may be found at http://irchelp.org/ and http://www.livinginternet. 
com/r/r.htm (accessed April 17, 2014). 

42. Ibid. 


Copyrighted material 



Chapter 17 

Finding Sources 


Introduction 

Thousands of websites offer access to government records and other types of public 
information compiled by agencies, nonprofits, news organizations, and commercial 
enterprises. Investigators should remember that, as with other published materials, 
verification is necessary before accepting any record as fact and before assuming 
that when a record is not found in an online database, it does not exist. In all proba¬ 
bility, even a thorough search will not include absolutely every database or reference 
that could contain a reference to the subject. However, by maintaining an up-to- 
date, complete list of uniform resource locators (URLs) for potential searches, the 
analyst can credibly assert that a search was as thorough as possible. Not all govern¬ 
ment and commercial records are offered online, not all online records are offered 
free, and it is not always possible to obtain identifiable records because many reposi¬ 
tories offer only a name to match, without other identifying data to verify that it is 
the same person as the subject. 

It is appropriate to spend a moment on disclaimers, which are found with virtu¬ 
ally all databases. Disclaimers generally say that the agency or entity hosting the 
database is not responsible for any errors, and use of the data found is the respon¬ 
sibility, and at the risk, of the user. Some disclaimers sound like they were written 
for software (disclaiming liability for any use, any damage, or failure to perform 
as indicated). If the implicit threats we read in this type of disclaimer were true, 
then the database might have little value, like software that would not work in 
your computer. Yet, we should not depend on data that may contain errors (and 
have little choice but to trust the software, despite disclaimers). The solution is to 
be careful to verify relevant facts found in records and to understand that even a 
fairly low percentage of risk in the accuracy of data or functioning of the database 

209 


Copyrighted material 


Finding Sources ■ 211 


The US Department of Commerce, Bureau of Industry and Security, publishes a 
Denied Persons List at http://www.bis.doc.gov/index.php/the-denied-persons- 
list; the list delineates those entities and persons denied authority to export. 

The US Customs Rulings Online Search System (CROSS) is available at http:// 
rulings.cbp.gov/index.asp. 

The Securities and Exchange Commission (SEC) enforcement actions are avail¬ 
able at http://www.sec.gov/divisions/enforce/enforceactions.shtml, and the 
EDGAR (Electronic Data Gathering, Analysis, and Retrieval) system allows 
a user to search for company filings with the SEC at http://www.sec.gov/ 
edgar/searchedgar/webusers.htm#.U7DaD_l92GJ. 

The Department of Health and Human Services (DHHS) excluded individu¬ 
als and entities search is available at http://exclusions.oig.hhs.gov/, and fraud 
enforcement is searchable at http://oig.hhs.gov/fraud.asp; the Federal Drug 
Administration debarment list can be found at http://www.fda.gov/ICECI/ 
EnforcementActions/FDADebarmentList/default.htm. DHHS also lists 
names ol those who have defaulted on student loans at http://bhpr.hrsa.gov/ 
scholarshipsloans/heal/defaulters/index.html. 

The State Department posts lists of foreign terrorist organizations at http:// 
www.state.gov/j/ct/rls/other/des/123085.htm. 

The Justice Department posts a searchable, nationwide list of registered sexual 
offenders that interacts with state and territorial lists; it is available at http:// 
www.nsopw.gov/PAspx AutoDetectCookieSupport=l. 

The Bureau of Federal Prisons has an inmate lookup list available at http://www. 
bop.gov/inmateloc/. 

Other agencies offering online postings of enforcement activities include the 
Occupational Safety and Health Administration (OSHA) and the National 
Labor Relations Board (NLRB). 

The Patent and Trademark Office offers search options on its site at http://www. 
uspto.gov/patents/process/search/index.jsp, but often search engines will find 
references to patents and inventors placed online by commercial firms. 


State, County, and Local Governments 

State, county, and local government information also can be found online, as agen¬ 
cies scan and load records into databases to make operations more efficient and to 
comply with open-government laws and regulations. It is important to remember 
that many government agencies (e.g., the 3,069 US counties)' struggle with the 
cost and complexity of compiling and maintaining records, and automation has 
not gone smoothly at some (witness the debacles in federal and state attempts to 
automate registration for health care insurance in 2013—2014). Vital records such 
as births, deaths, marriages, and the like have been transitioned from paper to 


Copyrighted material 



212 ■ Cybervetting 


computers, but many state and county agencies hosting such records have relied 
on fees to offset the costs of maintenance and staffing. Therefore, it is not unusual 
for agencies to require registration and charge users a fee for an online search, for 
records retrieval, and for a certified copy of the record—even though the record 
must be publicly available by law. Some jurisdictions charge more than others, 
some require a subscription or account for access, and many opt to provide records 
through selected contractors or automation providers such as LexisNexis. 

Handy websites for locating online government records are provided by 
BRB Publications at http://www.brbpub.com/default.asp and http://www. 
publicrecordsources.com/. Professional licenses can be found at http://www. 
verifyprolicense.com/, from the same publisher. Links help the searcher to find the 
right county for an address, free online public records, and research companies that 
will retrieve records from a courthouse or government office for a fee and list pub¬ 
lications to help searchers learn about how different types of records are accessed 
and kept. Each state, county, and municipality may have different standards and 
access rules, although many states have attempted to allow searches of all county 
court records through a single state web portal. It is prudent to spend a few minutes 
determining what types of online records a state or other government entity may 
offer because the records could include the subject of inquiry, more are available 
online than ever before, and more come online frequently. 

Reference works such as Hetherington and Sankey s The Manual to Online 
Public Records , which provides a state-by-state listing with government records 
URLs, can be helpful, but no sooner do such books go into print than some of 
the records offered, or the URLs, change. 2 One can always search the Internet for 
a current link to a jurisdictions online records (e.g., “Montgomery County, MD, 
property records”), but be careful to distinguish the government links from the 
commercial ones. Among the types of records that may be of use when posted are 
the following: 

■ Vital records (birth, death, marriage, divorce) 

■ Criminal and civil court records (including family and traffic courts) 

■ Sexual offender registry 

■ Corporation, company, and commercial entity registrations 

■ Uniform Commercial Code (UCC) records 

■ Real estate property, assessment, and tax records 

■ Workers compensation records 

■ Driver records 

■ Vehicle and vessel ownership and registration 

■ Accident reports 

■ Occupational licensing (usually handled by separate boards for each specialty) 

■ Prison inmates and incarceration records 


Copyrighted material 



Finding Sources ■ 213 


■ Tax delinquencies and auctions 

■ Voter registration 

Sometimes, a local record might surprise you with an unexpected posting. For 
example, we found a “most wanted” poster displayed online by a small municipal 
police force, stating that our subject was wanted for fraud. It was interesting to 
find the posting, and the crime had been committed by the subject. We knew 
that because months before the online posting, the subject had appeared in court 
and pled guilty to the fraud charges. In fact, the subject had finished serving his 
sentence by the time the wanted poster was found online, so he was no longer 
“wanted.” This instance illustrates the fact that an analyst must be careful to weigh 
all the facts found in postings, and to assess not only their relevance but also their 
timeliness and reliability, before reporting the instance as found. It is also prudent 
to include analyst comments when there is doubt, uncertainty, or lack of accuracy 
in any aspect of the findings reported. 


Other Government-Related Sources 

Other government-related sources are available: 

The World Bank posts a debarment list (disallowed contractors) at http://web. 
worldbank.org/external/default/main?theSitePK=84266&contentMDK=64 
069844&menuPK=l l6730&pagePK=64l48989&piPK=64l48984. 

The POGO (Project on Government Oversite) website posts a list of fed¬ 
eral contractors alleged to have engaged in misconduct at http://www. 
contractormisconduct.org/. This database contains some well-known, large 
companies and lists allegations and contract amounts. 

Health Guide USA has links to each states medical license databases to allow 
verification for physicians’ credentials: http://www.healthguideusa.org/ 
medical_license_lookup.htm. 

GuideStar lists nonprofit entities in a searchable database (with registration 
required for details) at http://www2.guidestar.org/Home.aspx. 

A private company, Prime Time Publishing Company, offers to validate Social 
Security numbers. When a Social Security number is entered at http://www. 
ssnvalidator.com/, the system verifies that its user is not deceased and pro¬ 
vides the approximate date and state of issuance. 

Active military and veterans of the armed forces can be found on a variety of 
websites, including http://www.military.com/buddyfinder/, http://www. 
military-search.com/, and http://www.searchmil.com/. Some of these sites 
include ads from fee-based people search services. 


Copyrighted material 



214 ■ Cybervetting 


A directory of federal agencies at http://www.usa.gov/directory/federal/index. 

shtml can be used to locate and contact federal employees. 

The Council on Licensure, Enforcement and Regulation has a directory of pro¬ 
fessional regulatory boards and colleges online at http://www.clearhq.org/. 


Business-Related Sources 

A variety of information sources about businesses provide online access to pro¬ 
files, including corporate filings in the SEC s EDGAR database at http://www. 
sec.gov/edgar.shtml. For private lists of profiles, Hoovers at http://www.hoovers. 
com/, Dun & Bradstreet at https://creditreports.dnb.com/rn/homePstoreIdnil54, 
and the Better Business Bureau at http://www.bbb.org/search/ are good sources. 
Other options include the http://biznar.com/biznar/ “deep web business search” 
(with sometimes bizarre search results), http://us.kompass.com/, which says it lists 
millions of businesses, and Yahoo business directory (which includes company 
websites) at http://dir.yahoo.com/business_and_economy/directories/companies/. 
A manifestation of user-provided information on businesses and people is the web¬ 
site http://www.corporationwiki.com/, and http://www.wikipedia.org/ is also apt 
to have information posted on many businesses. As telephone books have moved 
online, several have posted information about businesses in yellow pages-style list¬ 
ings. Caution should be exercised in using a wiki or online yellow pages as a primary 
source of data because by its nature, a wiki allows collaborative editing and cre¬ 
ation of postings by anyone, which can make a wiki s content suspect, and yellow 
pages may not be reviewed and edited by the owner or someone who can verify the 
details. The level of review and verification provided for posted materials, including 
source citations, is primary evidence of credibility. 

There are websites devoted to messages and forums for those following corpora¬ 
tions’ stock value and business development, including the message board hosted by 
Yahoo at http://finance.yahoo.com/mb/YHOO/. Postings are usually by nickname, 
preserving the anonymity of the writers, and sometimes feature scathing criticism 
and even insider revelations (which can bedevil corporations and pose legal risks). 
Another site with business message boards that can occasionally include vitriolic 
criticisms of businesses is RagingBull.com, and numerous blogs and chat rooms 
include business-related commentary. Several websites are like a cross between yel¬ 
low pages and business profile repositories, hosting data that are created from other 
websites (often from the businesses’ own websites). An example is Manta.com, 
which claims to list over 22 million US businesses. Details of business profiles that 
are found through Google searches should be verified because they may come from 
the business itself or Internet postings from nonauthoritative sources. 

Some websites cater to ratings of employers, such as http://www.jobitorial.com/, 
where employees may praise or pan their workplace, usually using pseudonyms. The 


Copyrighted material 



Finding Sources ■ 215 


Motley Fool (Fool.com) focuses on stocks and users, like those on Yahoo message 
boards, entertaining not only straight news items but also commentary (sometimes 
quite critical and factually questionable) about companies and their leaders. 


News 

Many current and several-year-old news items are likely to be found by search 
engines. However, these only scratch the surface of potential news media references 
to a subject. For many years, news archiving and retrieval services have offered search¬ 
ing by subscription, including Dialog.com, Nexis.com, ThompsonReuters.com, 
and Factiva.com. Free news references can be found on News.Google.com and 
News.Yahoo.com. Major newspapers and news websites also offer archival searches, 
many charging a fee for full texts of stories. Current (e.g., last 2 weeks) stories 
are usually available for free. Magazines, journals, and other publications increas¬ 
ingly can be retrieved, but possibly through pay-as-you-go sites or by subscription. 
Some major news sites are searchable by comprehensive, automated search engines 
like Copernic.com (which now owns Mama.com, a metasearch engine). More on 
Copernic appears in the next chapter. 

A successful strategy for finding references to persons and businesses in smaller 
communities and suburbs is to search for news media websites in the municipality, 
county, region, and state where the subject is located and in the subject matter area 
of the subject’s work or hobby. This search should include educational institutions’ 
publications as well as commercial news sites. Events such as newsworthy awards, 
arrests, achievements, lawsuits, family deaths, graduations, and so on may appear 
in news media reports and verify or reveal known or new facts about the subject. 
At http://dir.yahoo.com/news_and_media/ and http://www.dmoz.org/News/, a 
researcher can find media outlets that should be considered as potential sources of 
stories that may or may not be indexed by the major search engines. 


Web 2.0 

The term Web 2.0 (2004—present) 3 refers to interactive websites and applications 
that facilitate information sharing, interoperability, user-centered design, and col¬ 
laboration on the World Wide Web, allowing users to interact and collaborate 
with each other in a social media dialogue as creators of user-generated content 
in a virtual community. Examples of Web 2.0 include web-based communities, 
hosted services, web applications, social networking sites, video-sharing sites, wikis, 
blogs, mashups, and folksonomies. A Web 2.0 site allows its users to interact with 
other users or to change website content, in contrast to noninteractive websites 
where users are limited to the passive viewing of information that is provided to 


Copyrighted material 



216 ■ Cybervetting 


them. Mashups are services that combine data or functionality from two or more 
services, and “folksonomy is a system of classification derived from the practice 
and method of collaboratively creating and managing tags to annotate and catego¬ 
rize content.” 4 

What makes Web 2.0 useful from the investigators standpoint is that appli¬ 
cations, websites, and interactive communications (including mobile, instant 
messaging [IM], and mashups) all not only allow extended networking and com¬ 
munications but also enable investigators to track subjects in many new ways. Some 
of the new websites offering Web 2.0 features also enable a user to track other users 
(e.g., Friendfeed.com) and to sign on to a social networking site using another 
site (e.g., Facebook.com). When added to the formidable functionality in Google 
alerts (Google.com/alerts), it is possible to find information about current activities 
of someone online, especially when the subject actively posts updates on popular 
websites and is “tracked” by others. When an individual poses a threat, is investi¬ 
gated for ongoing criminal activities, or (unfortunately) is stalked by a malevolent 
person, these applications enable a type of surveillance previously unknown. Two 
aspects of these Web 2.0 features are that the implications of usage are not known to 
substantial percentages of users (thus creating vulnerabilities they are unaware of), 
and the average user may be divulging information to the public at large that is nei¬ 
ther prudent nor well understood. An example is if someone announces a departure 
from home on a trip and sends photos of the travels, allowing a burglar with access 
to these postings to see that the person is away and the home may be unoccupied. 

The popularity of Web 2.0 (exemplified by the hundreds of millions of users of 
Facebook and Twitter, to name just two websites) 5 is a primary reason why person¬ 
nel security must consider employee and candidate activities online because so many 
people define themselves by online activities. An intelligence or investigative collector 
employing Web 2.0 should find out the “handles” used by subjects of interest for their 
postings and communications. Often, these handles also appear in e-mail addresses, 
profiles, and frequently in Twitter and similar instant messaging (IM) services. It is 
not unusual for an individual to use the same handle for multiple Web 2.0 services. 

It is also normal for several websites to list the persons true name in conjunc¬ 
tion with the handle, especially on social networking sites. A key goal in the initial 
stages of any Internet investigation is to find all available virtual identities of the 
subject because of the additional data that could be available and the possibility 
that the added information may not be available without searching all of the sub¬ 
ject’s handles. Although some human resources (HR) departments have avoided 
searching social networking sites on applicants for “ethical reasons” (actually, legal 
doubt), there is a good reason to search them: They link a true name (which may 
not appear in their profile but nevertheless leads to their profile) with a user name, 
nickname, or handle seen elsewhere. This type of handle is a virtual alias on the 
public Internet and should be treated as such. 

Among the more productive postings from today’s websites are blogs and 
mashed up social networking entries. Today, the likelihood that an individual will 


Copyrighted material 



218 ■ Cybervetting 


dhese statistics suggest that the percentage of users previously considered “power 
users” may have multiplied, from perhaps one-third in 2010 to 80% or more today. 
Without speculating too much on the accuracy or implications of that idea, one 
might infer that the proportion of those online who are likely to succumb to an 
impulse to act out and post unflattering items is nearing 100% of the proportion 
who would act out in the physical world. 

As millions of users flock to the latest online services, they create both intel¬ 
ligence collection opportunities and the reasons for such collection. Two types of 
search tools have emerged from the evolution onto social networking platforms by 
Web 2.0 users: “real-time” and archival searchers. The real-time tools allow searches 
of Twitter and similar systems that are used to post short texts, photos, videos, and 
other items. The archival searches depend on indexing of materials posted online 
that takes place over about a 4-week period. Investigators need to know whether 
a search is likely to produce recent postings, and the only way to be sure is to go 
on the websites used by a subject and look for recent postings (which may or may 
not have been indexed yet by search engines). Relying on a search engine for recent 
postings is risky. Searching on Twitter for tweets provides up-to-date results, while 
using Yahoo! Search may not. With the jump in Web 2.0 use, several commercial 
search engines like Trackle, Monittor, Yauba, and others offered near-real-time, 
social website-inclusive searches, but some quickly failed. Soon, a new group of 
aggregator websites appeared, offering profiles of persons by fusing data from social 
sites and other postings, including Friendfeed, Pipl, PeopleSmart, Zabasearch, 
PeopleFinders, Spokeo, AdvancedBackgroundChecks, Zoominfo, Radaris, MyLife, 
and others (this list does not constitute a recommendation). An example of the 
potential value for investigators of correlating social networking postings to iden¬ 
tify individuals and discover behaviors is illustrated by a study reported in 2009 
by Arvind Narayanan and Dr. Vitaly Shmatikov from the University of Texas 
at Austin, 9 who developed an algorithm by which they identified the names and 
addresses of anonymous Twitter, Flickr, and Live Journal users by looking at rela¬ 
tionships between all the members of a social network—not just the immediate 
friends connected with members. They found that one-third of those who are on 
both Flickr and Twitter can be identified from the completely anonymous Twitter 
graph, despite the fact that the overlap of members between the two services is 
thought to be about 15%. The researchers suggested that the more social network 
sites are used, the more difficult it will become to remain anonymous. 10 

Searching Web 2.0 sites can be useful for finding people 11 and major stolen 
items, monitoring brands, protecting intellectual property, discovering slanderous 
or otherwise troublesome postings about a company or brand, and many other sim¬ 
ilar uses. Some can unearth employees in the act of embezzling, theft, and unau¬ 
thorized disclosures. Law firms often focus appropriately before and during trial on 
the evidence to be used and witnesses, oblivious to the fact that witnesses, stake¬ 
holders, interested parties, and even jurors, may be using the Internet to post and 
review both relevant and irrelevant items and both appropriate and inappropriate 


Copyrighted material 



Finding Sources ■ 219 


comments and sometimes posting items that may have a material impact on the 
trial. Preparation to depose or examine a witness on the stand can be strength¬ 
ened by reviewing what the witness said about the topic or related issues that may 
well appear online. Posted materials can help impeach testimony or steer a cross- 
examination away from an area where the likely answers of the witness might hurt 
the attorney’s case. If one side in a case reviews Internet postings but the other does 
not, there could be an advantage to the side that does. Public-sector witnesses have 
been blindsided when defense lawyers’ searches have lound online materials used to 
question the objectivity of their testimony. 12 Some lawyers who are Internet savvy 
scan for postings related to their cases, but this useful practice has yet to catch on 
with the legal profession as a whole. 


Looking Up Subscribers 

Often, an investigator will discover a telephone number, address, Internet protocol 
(IP) address (i.e., the string of numbers identifying a computer), a URL, or other 
listing information that needs to be identified or connected with the individual or 
organization of interest. People who post illicit materials online using anonymous 
virtual identities are pursued by stakeholders, for example, who try to identify them 
through the IP address, URL, e-mail address, or whatever concrete information 
is available. A variety of resources and search strategies exist for the investigator. 
Telephone numbers and addresses can be found in crisscross directories. Some of 
our favorite resources include the following: 

Zabasearch.com provides name and telephone number searching, and free 
results may include the approximate date of birth and date of data capture. 

Whitepages.com provides name, business, address, and telephone number look¬ 
ups, and sponsors have links offering more data for a fee. 

AnyWho.com is AT&T’s national white and yellow pages and reverse lookup 
directory. 

Similar services to those listed can be found on 4lllocate.com, addresses.com, 
people.yahoo.com, switchboard.com, and ussearch.com (which offers fee- 
based added information) and other sites. 

When using online white and yellow pages, it is important to remember that 
misspellings, inaccurate (e.g., outdated) references, and other errors appear in free 
listings. In addition, unlisted telephone numbers (and the proliferation of unlisted 
cell phones as primary or sole numbers) have made it more difficult to obtain or 
verify primary contact information for some subjects. Likewise, rural towns where 
post office boxes are preferred over residential mailboxes may impede finding or 
verifying a name-address physical combination. When crisscross directories like 
those suggested fail to provide sufficient information, real estate records may be an 


Copyrighted material 



220 ■ Cybervetting 


alternative. Sites like http://www.netronline.com/ may be helpful in finding free 
online listings provided by counties, some of which can be searched by address, 
name, and so on. For example, an investigator starting with a name or an address 
could find the mailing address, owners’ names, property description, and taxes of 
many homes in the United States. 

Websites are frequently a focus of Internet intelligence interest. Unfortunately, 
because of spam, many website owners hide their contact information through 
anonymization services provided by website hosts. Large services like GoDaddy. 
com, ThePlanet.com, landl.com, FatCow.com, NetworkSolutions.com, Microsoft, 
and Yahoo offer a variety of options for website owners, from registration of the 
domain name to shared or exclusive use of servers, site certificates, sales checkout, 
credit card merchant services, and so on. Design and maintenance of website con¬ 
tent are often done by outsourced contractors, including the host companies. It is 
important to know how to look up domain name ownership, IP address, and other 
website attributes so that those active on the web can be profiled accurately. This is 
generally known by the term Whois lookup . Several services offering Whois tracing 
include the following: 

http://www.who.is/whois/ 

http://www.betterwhois.com/ 

http://www.domaintools.com/ provides current, deleted, and expired domains 
and other services, including reverse IP lookup and traceroute 

http://www.networksolutions.com/whois/index.jsp offers Whois lookup and 
multiple services 

L-Soft offers a service for lookups for listservs (server-based e-mail broadcast 
services) across the Internet at http://www.lsoft.com/lists/listref.html 

IP2Location offers to provide the geographic location of IP addresses at http:// 
www.ip2location.com/1.2.3.4 

The Internet Assigned Numbers Authority (IANA) at http://www.iana.org/ 
provides coordination of the Domain Name System (DNS) and protocols for 
routing web traffic to the proper IP address from the URL entered and manages 
the global DNS root and the pool of IP numbers, allocating them to the regional 
Internet registries. It may be necessary to look up registries, registrars, domain 
name holders, and IP addresses using IANA and Internet registry resources. The 
Internet Corporation for Assigned Names and Numbers (ICANN) at http://www. 
icann.org/ coordinates IP addressing around the world. The American Registry for 
Internet Numbers (ARIN) is responsible for North America and the Caribbean 
and is available at https://www.arin.net/resources/index.html. 

The Internet is using IPv4 and IPv6 (a larger number of IP addresses coming 
online) to route network communications. The main thing for an investigator to 
understand is that just as the packets (bits of data) flowing to and from a computer 
“know where to go” using the Internet’s protocols, it is possible to find out, at least 


Copyrighted material 



Finding Sources ■ 221 


to a limited extent, who is at the other end of Internet connections by identifying 
the IP addresses used to route those packets. In the future, IPv6 may allow identi¬ 
fication of senders through better authentication built in to the protocol. However, 
the trend toward protecting users’ privacy against spammers harvesting e-mail 
addresses from the public Internet may offset the investigators ability to identify 
users from virtual identities. 


E-Mail 

E-mail plays a part in many Internet investigations. E-mail addresses can some¬ 
times be found using search engines, and both the user name and the entire address 
should be searched. E-mail can sometimes be traced on its route from sender 
to receiver, at least to the extent that the message header is not tampered with, 
depending on the e-mail service provider. E-mails may be sent from an Internet 
service provider (ISP) like Yahoo, Microsoft, or AOL or through a web mail service 
like Googles Gmail. E-mail also may come from a mail server operated by a cor¬ 
poration using its own mail server or an outsourced mail service provider. E-mail 
addresses may reflect the website of a business owner (e.g., john.doe@company. 
com) or the e-mail service provider (e.g., jdoe2@verizon.net, bigsam@hotmail.com). 
Internet investigators will sooner or later confront the need to identify the sender of 
an e-mail. The prospects of success for identifying “anonymous” e-mailers are not 
always high, but at least the initial steps are comparatively simple: 

1. Obtain the message header. Ask the recipient of the e-mail to capture the 
message header and send it to you. Merely forwarding the message will not 
provide you with the original e-mail’s message header. To obtain the message 
header, that is, the routing information about where the e-mail came from, 
the recipient should view and print it or copy and paste it from the e-mail 
program used. With Yahoo! mail, click the link “Full Headers” at the bottom 
of the page. With Outlook, click “Options,” and the routing information 
appears. In Gmail, click on the down arrow next to “Reply” at the top right 
of the message pane and select “Show Original.” In any e-mail program, look 
in help for “message header” or “full header” for instructions on how to find 
the routing information. 

2. Review and analyze the message header. The header usually displays the 
sender’s e-mail and IP address (which consists of numbers in the format 
XXX.XXX.XXX.XXX, for example, 123.435.987.654), shown closest to the 
sender’s e-mail address at the bottom of the header. Ihe IP addresses shown 
between the bottom and the top (where the recipient’s e-mail address appears) 
are the IP addresses of servers through which the message was routed. 

3. Use a reverse IP address lookup service to identify the IP address of the 
sender. This will usually at least provide the user’s ISP, allow placement in 


Copyrighted material 



222 ■ Cybervetting 


a geographical region, and in some cases provide the IP address of the mail 
server used by the sender. It may not be possible to identify the individual 
sender from a dynamic IP address unless the mail service provider will agree 
to determine who used that IP address on a specific date at a specific time 
(shown on the message—if the time/date stamp is accurate). Most ISPs and 
mail service providers demand a legal process (subpoena or warrant) for an 
outside investigator to identify senders by IP address. Law enforcement or 
court intervention would be needed for that step. With a fixed IP address, 
the mail host of the sender and possibly the sender himself or herself can be 
identified. Internal enterprise investigators may be able to use IT records to 
identify the sender of an e-mail launched within the enterprise. 

4. In attempting to identify the sender of an e-mail, do not overlook analysis 
of the possible suspects’ activities at the time that the e-mail was sent and 
include an analysis of the user name, content, and context of the message 
itself. These often provide clues to the sender’s identity. Although it is possible 
for someone to create a free e-mail account just to send one e-mail, it is also 
possible that the sender used the same “anonymous’’ e-mail address or handle 
for many other communications, which may be linked with the sender on the 
Internet. Some e-mail accounts contain public profiles identifying the user. 
Some are linked with the user’s work or true name e-mail addresses on social, 
business, and other sites. 

5. When all else fails, it may be possible to engage the sender of an e-mail in an 
exchange of messages that could lead to his or her identification. This ploy 
demands sophisticated manipulation of the communications so the person is 
not tipped off that someone is trying to identify who he or she is and requires 
that the person answer the e-mail. If the sender is determined to remain 
anonymous, he or she may never return to the e-mail account used. However, 
some people are curious to see if there is a response to their provocation. 


Commercial Database Providers 

An increasing number of database companies provide registered clients such reports 
as business credit (e.g., Dun &C Bradstreet at dnb.com and Experian at smartbusi- 
nessreports.com), employment verification (e.g., TheWorkNumber.com), and edu¬ 
cation verification (National Student Clearinghouse at StudentClearinghouse.org). 
As services continue to increase, databases like these should be sought out in peri¬ 
odic updates of resources available to the online investigator. The goal is to utilize a 
number of different sources, fusing the results into findings needed. 

As an analyst becomes more experienced and comfortable with Internet investi¬ 
gations, it is almost inevitable that the analyst will be asked to find out something 
that simply is not available on the Internet. There are many types of misbehav¬ 
ior, including malicious and destructive communications, hate speech, bullying, 


Copyrighted material 



Finding Sources ■ 223 


stalking, slander against individuals and organizations, and postings corrosive of 
morale and civil behavior. Hard economic times sometimes bring out the worst in 
people, as do extreme political, religious, and moral beliefs. Personal disputes and 
sexual pursuits arise frequently in all groups. Analysts are asked to identify anony¬ 
mous actors using the Internet to carry out misbehavior. Although every assign¬ 
ment may prove possible to accomplish, the ability of users to hide behind virtual 
identities can erect an impenetrable barrier. When a high degree of difficulty is 
found, it is important to enlist the help of others, such as information technology 
(IT) systems administrators and “white-hat” hackers, who may be able to trace 
activities using their systems security methods, including system logs, firewalls, 
user-monitoring tools, and Web-tracing tools. Often, the subject is a person within 
the organization itself, even if the communications appear to come from outside. 
The analyst contributes to the identification of the subject and resolution of the 
case, even if it proves impossible to use conventional Internet investigative meth¬ 
ods, because a thorough inquiry explores every possible means (within reason and 
ethical constraints). Collaboration with others with different skill sets has proven 
to add value to all types of Internet investigations. 

Although it may appear that the URLs of the suggested sources listed make up 
a long list, they are only a part—examples—of the wide variety of sources available. 
If an analyst were to use a substantial number of the URLs in manual searches, 
it could take a long time. Further, searching is step 1; review, filtering, capture, 
and analysis must still be done. Automating the search process can dramatically 
improve efficiency, so that is the topic of the next chapter. 


Notes 

1. http://www.naco.org/Counties/learn/Pages/Overview.aspx (accessed April 21, 2014). 

2. Hetherington, Cynthia, and Stankey, Michael L., The Manual to Online Public Records, 
The Researcher’s Tool to Onlme Public Records and Public Information , 6th edition 
(Tempe, AZ: BRB, 2008). 

3. Wikipedia, http://en.wikipedia.Org/wiki/Web_2.0 (accessed April 21, 2014). 

4. Wikipedia, http://en.wikipedia.org/wiki/Folksonomyand http://en.wikipedia.org/ 
wiki/Mashup_%28web_application_hybrid%29 (accessed April 21, 2014). 

5. Social Networking Fact Sheet, Pew Internet and American Life Project, September 
2013, http://www.pewinternet.org/fact-sheets/social-networking-fact-sheet/ (accessed 

April 17, 2014). 

6. Carey, Rob, Navy CIOs blog, http://www.doncio.navy.mil/Blog.aspx (accessed 
June 10, 2010). 

7. Smith, Aaron, Mobile Access 2010, Pew Internet and American Life Project, July 7, 
2010, http://www.pewinternet.org/ "I media//Files/Reports/201 0/PIP_Mobile_ 
Access_2010.pdl (accessed August 22, 2010), which illustrated rapid growth in wire¬ 
less Internet use in all types of devices, including the fact that as of May 2010, 59% of 
adult Americans go online wirelessly, with increases in both laptop and cell web users. 


Copyrighted material 



224 ■ Cybervetting 


8. Pew Internet and American Life Project, mobile technology fact sheet, as of January 
2014, http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/ and 
social networking factsheet, as of September 2013, http://www.pewinternet.org/fact- 
sheets/social-networking-fact-sheet/ (both accessed April 21, 2014). 

9. Schneier, Bruce, Schneier on Security: Identifying People Using Anonymous Social 
Networking Data, April 6, 2009, http://www.schneier.com/blog/archives/2009/04/ 
identifying_peo.html (accessed April 17, 2010), relating the results of a study by 
Arvind Narayanan and Dr. Vitaly Shmatikov, from the University of Texas at Austin, 
in De-Anonymizing Social Networks, for IEEE Security and Privacy ’09, available at 
http://randomwalker.info/social-networks/. 

10. As the Texas study in Note 9 illustrated, sophisticated computer analysis may be capa¬ 
ble of sifting huge quantities of data online to find previously hidden activities of 
“anonymous” users, meaning that one future possibility includes automated vetting 
tools that expose prior postings when candidates are cybervetted. 

11. Taub, Eric A., Going beyond Google to Find a Lost Friend, New York Times , March 25, 

2010. 

12. For example: Dwyer, Tim, The Officer Who Posted Too Much on MySpace, New York 
Times , March 10, 2009, http://www.nytimes.com/2009/03/ll/nyregion/llabout. 
html?_r=2 (accessed April 21, 2014). A man arrested for illegal possession of a gun 
while on probation, resisting arrest, and using a stolen motorcycle was acquitted of 
the most serious charges (gun possession) by claiming that the officers MySpace page, 
which referred to the film Training Day and had other cynical postings, showed that 
the officers word could not be trusted, and the defendants claims of brutality and 
dishonesty were accepted by the jury. 


Copyrighted material 



Chapter 18 

Automation of Searching 


Introduction 

Search engines are amazing in their automation of the search process because they 
deliver the results of several complex and difficult system functions in less than a 
second consistently and with high quality. Like the dial tone always present when 
we pick up the phone, we take it for granted that in mere seconds we can execute 
a search and dive into results. Search engines like Google combine the spiders that 
crawl the web, applications that capture text and images, many servers that store 
billions of pages, indexing that allows instant retrieval, and algorithms to serve up 
references in the order most probably useful to the user. These are all wondrous 
functions. However, further automation is required to reduce the time needed for 
professional analysts to collect and present information quickly and simultaneously 
from many different search engines and websites where references are most likely to 
be found. When one looks for an automated Internet search tool, not many choices 
are found besides Internet search engines and intranet database-searching systems. 
Although in the broadest sense, Google is a tool, it is really a website offering a 
search service sponsored by commercials. Unfortunately, few good options for 
unadulterated desktop search software for the use of an investigator exist. 1 

Two types of software appear to be in relatively common use: enterprise search- 
database software, sometimes characterized as “middleware,” and metasearch tools. 
The enterprise tools are designed to allow multiple different databases, including 
the Internet, to be accessed, and output normalized, for many users. They are gen¬ 
erally large, expensive systems, demanding separate servers with access to source 
information, including the Internet. Metasearch tools are relatively simple Internet 
retrievers, combining multiple search engines into a single browser interface, to 

225 


Copyrighted material 


228 ■ Cybervetting 


Pro appear to be used as similar analytical platforms, integrating data from mul¬ 
tiple stores and the Internet. 6 These types of systems can cost several thousand dol¬ 
lars per user for software, maintenance, appropriate hardware, and training. Many 
intelligence and investigative agency analysts use these tools successfully, and data 
captured from the Internet during investigations can be incorporated into the pro¬ 
cess. However, these systems are neither designed nor optimized for open-source 
data integration into the applications because they do not conduct comprehensive 
Internet searching as an integrated function. One reason is that intelligence and 
law enforcement agencies do not want to have a system that is integrated with their 
sensitive and classified internal databases connected directly to the public Internet. 
Another reason is that the Internet is not just another database, but rather a huge 
network of disparate types of data sources and program languages. 

Essentially, professional analytical software for investigative analysts was not 
designed for Internet searching and costs too much for most individuals and small 
agencies. The types of software/middleware designed for law enforcement, court, 
and jail records management systems allow queries of public records (e.g., driver’s 
licenses, car registrations, telephone directories) and law enforcement databases (e.g., 
the National Crime Information Center, court and inmate records). 7 Some systems 
span multiple jurisdictions, merging data from many databases. Unfortunately, 
these systems are much better at integrating structured data from linked records 
systems than they are at including Internet data, which are unstructured. Still, 
continued development of these systems is closing in on the goal of true integra¬ 
tion of open-source data into the corporate body of knowledge. Many investigators 
prefer a personally managed tool singularly focused on open-source information 
fro m the Internet. 

Some desktop tools have appeared with law enforcement and intelligence agen¬ 
cies as targeted markets, offering analytical software that fuses data from disparate 
sources, using geographical, descriptive, relations, patterns, connections and trend 
attributes, and sometimes social network analytics, to visualize or depict threats, 
risks, relationships, and opportunities. For example, Vere Software’s WebCase soft¬ 
ware 8 is sold as a single-user or corporate edition (about $595—$745 in 2009 dollars) 
and in 2009 was reviewed favorably. 9 Other examples provided by the International 
Association of Crime Analysts’ Resource Center 10 include software by Palantir, 11 
HunchLab, 12 PowerCase, 13 and others. The core functions of this type of software 
relate to management, analysis, and depiction of data already collected and not 
full-featured web search. 

A class of tools designed to facilitate web crawling and retrieval or “scraping,” 
data mining (like Google, but not nearly as quick or robust), is optimized for mar¬ 
keting intelligence professionals, so it is not reviewed here. 14 Suffice it to say that 
harvesting e-mail addresses or comparing products, prices, and presentations are 
not what a professional Internet investigator is seeking. 


Copyrighted material 



Automation of Searching ■ 229 


Best-in-Class Desktop Tool 

Currently, an example exists of a commercial off-the-shelf tool well suited for Internet 
investigators; this tool is known as Copernic Agent Personal (free) and Copernic 
Agent Professional (licensed) and is made by a Montreal company (Copernic.com) 
that also owns the classical metasearch engine Mamma.com. 15 Copernic s free desk¬ 
top Internet search tool is good, but its turbo-charged Copernic Agent Professional 
version for about $40 is exceptional. At this writing, the free download version of 
Copernic Agent for personal use appears on the website, but the professional version 
no longer does, having been discontinued January 31, 2014. 16 The professional ver¬ 
sion has allowed a user to do customized searching efficiently and facilitated review, 
filtering, and reporting. In addition, Copernic makes desktop and enterprise search 
tools that index and search corporate or agency data (again, free for private use, 
with a modest fee for commercial use). Copernic also makes a tool, Tracker, to 
follow and update website activities and topics, and another tool, Summarizes to 
extract the essence of text found to facilitate the reporting process. While Copernic 
Agent Professional was not the only tool available, its success among private and 
corporate investigators, as distinct from law enforcement, qualified it to be the only 
one mentioned here. Fortunately, Copernic Agent Personal is still available. 


Investigative Search Tool Requirements 

The ideal automated search tool is able to access chosen websites’ search functions in 
large numbers. Copernic, for example, may query more or less 200 sites and return 
results in a few seconds. Filtering the results can be more efficient when the appli¬ 
cation allows the analyst to discard references that are false and select those that 
need in-depth review quickly and easily. Code that helps identify true references by 
name resolution (entity resolution) can help the analyst to filter possible references 
to a subject quickly and home in on those most likely to be identifiable. Much 
of the postsearch processing still must be the responsibility of the human analyst 
because computers are unable to make final identity and verification judgments. 

Today, massive databases of public and private data are offered for a fee to 
subscribers of services like those provided by LexisNexis (e.g., Acurint, furnished 
to private investigators through IRB). 1 Competing large data broker firms, all of 
which are careful to verify subscribers’ lawful purpose for access, include TLO and 
CLEAR. 18 One of LexisNexis’ most successful capabilities in delivering records ser¬ 
vices is the ability to mine huge databases, reportedly carried out by advanced com¬ 
puter systems developed for the purpose. 19 The systems retrieve references to the 
subject of a query and pull related information into a cohesive report. As remark¬ 
able as the Acurint systems are, it is revealing that similar systems are not available 
to search for, identify references to, filter for accuracy, and compose a report from 


Copyrighted material 



230 ■ Cybervetting 


information available on the Internet. One reason is the enormous push of adver¬ 
tising and spam that are focused on web search today, which reportedly was one 
factor in Copernic discontinuing its Agent Professional software: “The information 
available on the web is growing exponentially and current search engines push a 
lot of sponsored links which affects greatly the search results quality.” 20 Although 
the data brokers claim to include such Internet-related information as the subject s 
e-mail addresses and, in some instances, social networking references, their systems 
are as yet incapable of providing comprehensive search results. 

Several government agencies and private companies are trying to develop tools 
that can deliver comprehensive reports from the Internet. As a nonprogrammer, 
I find it easiest to explain the current situation by reflecting that in the Federal 
Bureau of Investigation (FBI), I always found at least two or more people with the 
same name when searching FBI indices. Ihc world s billions of people are reflected 
in Internet data, and one can imagine how many people with the same name appear 
online. Ensuring that the information found relates to the subject of interest and 
not someone else is still the art of the analyst. 

One way to automate searching would be to have a multistep processor, such as 
one that does the following: 

User enters known data into a database (new file on subject) —> 

Autosearch retrieves terms from database, executes Internet searches —> 

Search can include enterprise databases via intranet —> 

Autoretrieve captures online pages (text), places results in database —» 
Autoanalyze performs name resolution on new database items —> 

Ranks results by likelihood of relevance 
Selects new search terms from text retrieved 

Sends new terms through autosearch, which executes new searches 
Repeats the autoretrieve and analysis process for second-tier results —» 
Autoreport presents all results to the user in a draft text report —» 

User edits the draft report, selects items for inclusion or deletion —> 

User finalizes the report, sends it for review and publication 

This process could include artificial intelligence (AI; a complex set of algorithms 
to allow the computer system to decide the highest-value retrieved data and place 
them into a draft report according to criteria programmed into the software). One 
type of AI might filter out false positives from search engines, and another might 
simply record sources for all confirming facts found (e.g., references that show the 
subject has the same address and profile already known) and report only conflicting 
or derogatory findings. AI would allow more processing and less human analysis, 
but in the end, there is still a need for analysts to make decisions about which 
references are identifiable with the subject, which are usable based on policy and 
standards of reporting, and which should be followed up with further investigation 
to determine the facts and resolve any potential discrepancies. The contribution 


Copyrighted material 



Automation of Searching ■ 231 


of automation is that the analysts time is focused on assessment and reporting of 
results rather than a manual process of search, review, select, capture, and report. 
Relieving the analyst of time-consuming, repetitive actions can allow much more 
efficient exploitation of open-source intelligence and allow processing of more sub¬ 
jects more quickly and with better results. 


A Homegrown Solution 

To solve the problem of collection online, my company developed our own propri¬ 
etary tool for analysts to use in conducting searches. It functions much like a group 
of search engines bound together into a multithreaded search engine. The tool is 
loaded with URLs that usually produce the best search results (major search engines, 
alternative search terms such as exact match, and a variety of social networking and 
selected online search sites). Tie analyst enters a search term (name, e-mail, IP 
address, phone, postal address, or up to 10 keywords). The predetermined searches 
are done simultaneously in a few seconds. The analyst then scans the results from 
each fruitful search and captures the content from the links. The tool is flexible, 
allowing the analyst to update the queried URLs as needed to fit the purpose. It 
allows hour on hour of serial, manual searching to be done in minutes. We are still 
in the process of building our next-generation search-and-analysis tool, which we 
hope will reduce the time required to analyze search results by capturing references 
in a database from which identifiable information can be scanned, reviewed, and 
accepted or rejected efficiently and reports can be generated automatically. 


Reducing Analytical Time Using Automation 

As related previously, the analyst oversees a multistep process in providing reports 
of open-source Internet intelligence on any topic, including the search, filtering, 
analysis, composition, and reporting. Each of the steps mentioned is actually a 
serial, multitask process because the initial search is supplemented by searches of 
new terms found in results. Here is how we have managed to reduce the time 
needed for an investigator to report results ol an Internet search: 

■ Do as many searches as possible simultaneously, using available automation, 
then search key URLs from a list manually. For a new practitioner, we rec¬ 
ommend using Copernic Agent, search (Google and Bing) and metasearch 
engines, and URLs mentioned in the previous chapters, including those best 
suited for the case, to ensure that the search is comprehensive, accurate, and 
reliable. 

■ Review and select results for inclusion in reporting, capturing images of 
Internet pages deemed to contain substantive information. 


Copyrighted material 



232 


■ Cybervetting 


■ Summarize findings and provide links to sources of items used in the report. 

■ Append images of the web pages used in the report, if appropriate. 

■ Assemble and retain a file with collected items and the report. 

■ When using a team to search, furnish a reports officer with the results men¬ 
tioned for inclusion in a combined report of findings. 

For an individual subject, this process can be accomplished in about 2 hours 
by an experienced analyst or team. However, if the references are extensive and the 
contents of data found are lengthy, considerable additional time may be required to 
search, analyze results, choose the most apt items responsive to the assignment, and 
compose the report language. 

The magic of the analyst is exercising the logic and intuition needed to find 
and report what those requesting the search want to know. Often, the question is 
whether there is some past behavior by a person or entity that may signal that the 
subject poses a risk in a future association, such as an employee, contractor, holder 
of a clearance, witness, suspect, customer, partner, trustee, supplier, or merger 
acquisition. The successful analyst recognizes and reports precisely the facts that 
may be of concern for the moment in decision making. This is the essence of value- 
based intelligence. 


Caching and Data Mining 

Today s collection tools, database programs, and storage capabilities allow even the 
small agency to identify, capture, and cache data likely to be of investigative use. 
For example, if the analyst can identity a series of websites/URLs that contain post¬ 
ing s of potential interest to the client, then they can be collected continuously and 
placed in storage. At first blush, this may seem to be a daunting task for an analyst 
who is not a programmer of search tools or databases and does not have the infor¬ 
mation technology (IT) skills to be the architect of an enterprise records manage¬ 
ment system. However, the tools mentioned in this book can be used to construct a 
low-cost solution that is capable of collecting valuable data on practically any topic. 
For example, using free Internet search and tracking tools can allow an analyst 
to find, copy, and store web pages in HTML (HyperText Markup Language) or 
Portable Document Format (PDF) in a free MySQL or Excel database or simply in 
an unstructured folder. For less than $100, the analyst can put the database on a 
separate hard drive with a terabyte or more of space. Several search utilities, costing 
from nothing (i.e., part of a personal computer operating system) up to about $50, 
allow the analyst to mine the database in moments, using word search, to retrieve 
information on any topic. Now, the analyst has a proprietary solution to data col¬ 
lection and exploitation on a matter of special interest. 

With programming help and advanced tools, analysts have used the method 
outlined to capture information about criminal activities online, copying and 


Copyrighted material 



Automation of Searching ■ 233 


storing the computer activities of pirates, fencers, drug dealers, thieves, crackers, 
credit card fraudsters, and spammers. Once a channel for illicit activities is identi¬ 
fied, it can be monitored and recorded for enforcement, intelligence, and secu¬ 
rity use. This approach could be described as the great equalizer on the largely 
unpoliced Internet. Of course, the richness of information found online allows 
marketers, researchers of all kinds, and curious individuals to find intelligence on 
almost any topic in the same way. 


The Human Interface in Internet Investigations 

A colleague in law enforcement complained privately that todays crop of incoming 
investigators is more apt to expect to find all the answers at the computer screen and 
seems reluctant to use interviews, field investigation, and traditional surveillance 
techniques to gather information. There may be some truth to this observation, but 
in reality, human interaction must be used to identify the websites of greatest inter¬ 
est and to find out the methodology and motivation of offenders. With only one 
or a few undercover operators, perpetrators’ Internet communications systems can 
be identified and monitored by intelligence officers. Coordination among officers 
is critical to build on both human and cyber intelligence to gain and maintain the 
best surveillance and witness elicitation possible. Among the sources used for this 
type of approach are the following: 

■ Recently captured, arrested, or convicted individuals knowledgeable about 
online support for the illicit enterprises 

■ Data retrieved during computer forensic analysis of systems used in crimes 
and in lawful intercepts 

■ Confidences shared with trusted inside sources by those involved in the 
illicit enterprise 

■ Online infiltration of an illicit enterprise by an investigator 

■ Witness reports 

To collect intelligence needed on people and entities engaged in misbehavior, 
it is sometimes necessary for an investigator to assume an undercover role. Care 
should be taken in such undertakings to ensure that the undercover officer does not 
commit illegal or unlawful acts, which can result in evidence inadmissible in a legal 
or administrative proceeding. In addition, both ethical and psychological reviews 
are needed to keep the undercover person on track and avoid the kinds of activities 
that could be reprehensible. Recent history has taught both law enforcement and 
private investigators many lessons about how not to carry out undercover activities. 
Undercover activities fall under the rubric of “Don’t try this at home,” requiring 
professional training and experience in investigations. 


Copyrighted material 



234 ■ Cybervetting 


Closely related to the undercover role is the concept of ‘"pretexting.” Neither 
undercover investigation nor pretexting is illegal or unethical in and of themselves, 
but if either involves certain types of inducement to commit crimes, illicit decep¬ 
tion, or fraud, it can be unlawful. Classical pretexting calls for an operative to 
ask questions as though he or she were entitled to receive the answers, which may 
involve misleading or misdirecting the subject. Using a too-broad definition of 
pretexting unfortunately led private investigators in a notorious case to pretend to 
be the subjects of their investigations in communications with telephone compa¬ 
nies to obtain copies of the subjects’ telephone bills. This constituted wire fraud, a 
federal crime. When an investigator assumes a role that is not fraudulent (e.g., an 
old classmate, a journalist, or a friend s friend) and asks questions of a subject or 
associates, a pretext can remain within legal and ethical boundaries. For example, 
asking a subject or his family about his welfare and inviting him to an upcoming 
reunion can result in elicitation of substantive data, and the discussion might occur 
over the Internet. Another example is when an investigator using a pseudonym 
makes a request to a subject to be included among customers of an illicit enterprise, 
such as distribution of contraband, like pirated movies, music, and software. When 
a pretext such as these results in acceptance of the undercover operator, it may be 
possible to gain access to illegal, ongoing web communications. Such communica¬ 
tions can be captured and cached to facilitate collection of evidence, intelligence, 
and security protection information. 

A persistent question about propriety in background vetting online is whether 
it is ethical to pose as a fellow alumnus or associate or, without identifying oneself 
as an investigator, to ask a subject to be included as a trusted insider (“to friend” 
the subject) with access to privacy-protected data on a subjects social networking 
site. A subject, on learning the friend is an investigator, might consider such a ploy 
to be a violation of privacy. However, there are two issues to consider. One is the 
reason that the investigator might want to view the data only shown to the subject’s 
“friends.” If there is reason to believe that the data could contain substantive infor¬ 
mation about misbehavior by the subject, there could be a strong reason to attempt 
the subterfuge described. Further, if the subject has a wide circle with a large num¬ 
ber of friends, the “privacy” protected may be minimal, dhe investigator, possibly 
aided by others in the background investigation, should consider other alternatives, 
such as interviews of the subject’s associates (who could be among the social site’s 
listed friends). “Friendship” the subject to access a restricted profile may be deemed 
ethical and less intrusive than interviews of the subject’s associates. However, using 
such ploys routinely, without a compelling reason, such as a lack of alternative 
means to resolve questions, would not be considered proper. 

Another issue relating to Internet investigative ethics is whether viewing a sub¬ 
ject’s associates’ postings is proper. The subject may have been notified, and con¬ 
sented to cybervetting, but his friends have not. This question concerns the degree 
to which the privacy of the associates is breached when their publicly visible postings 


Copyrighted material 



236 ■ Cybervetting 


6. Digital Information Gateway (Visual Analytics), a Raytheon offering, http://www. 
visualanalytics.com/products/dig/index.cfm (accessed April 22, 2014); Navagent 
Surf3D Pro, http://www.navagent.com/ (accessed April 22, 2014). 

7. International Association of Crime Analysts (IACA) evaluation of crime analysis soft¬ 
ware, http://www.iaca. net/resources.asp?Cat=Software (accessed April 22, 2014). 

8. Vere Software Internet Investigators Toolkit, http://veresoftware.com/index.php/ 
wcbcase_overview/downloads (accessed April 22, 2014). 

9. Guardian Digital Forensics tool reviews, http://digitalforensictools.blogspot. 
com/2009/02/webcase-vere-software.html (accessed April 22, 2014). 

10. http://www.iaca.net/resources.asp?Cat=Software (accessed April 22, 2014). 

11. http://www.palantir.com / (accessed April 22, 2014). 

12. http://www.azavea.com/products/hunchlab (accessed April 22, 2014). 

13. http://www.xanalys.com/products/ (accessed April 22, 2014). 

14. Many examples are provided on http://www.kdnuggets.com/software/web-content- 
mining.html (accessed April 22, 2014). 

15. Copernic is found at http://www.copernic.com/. 

16. http://www.copernic.com/en/products/agent/ (accessed April 22, 2014). 

17. LexisNexis is found at http://www.lexisnexis.com/, as is Acurint. IRB is at http://www. 
irbsearch.com/ (accessed April 22, 2014). 

18. TLO, a Trans Union company, http://www.tlo.com/, and CLEAR, by Thomson 
Reuters, https://clear.thomsonreuters.com/clear_home/index.jsp (accessed April 22, 
2014). 

19. O’Harrow, Robert, Jr., No Place to Hide (New York: Free Press, 2005). 

20. http://www.copernic.com/en/products/agent/ (accessed April 22, 2014). 


Copyrighted material 



Chapter 19 

Internet Intelligence 
Reporting 


Introduction 

Based on current legal and policy standards (or lack thereof) about the use of 
Internet intelligence, it appears that the highest risk is in the reporting and subse¬ 
quent use of online data. Merely conducting an online search creates a record in 
the computer used, which might be legally discoverable, even if no report of find¬ 
ings is made. Reports may be oral or written, but it is clear that even when formal 
reports are not written, the activities of the web searcher are chronicled in one form 
or another in the computer systems used to access the Internet. Today, many enter¬ 
prises allow anyone to search any topic, to process any information gained as they 
wish, and to reach whatever conclusions or decisions they believe are appropriate 
based on their findings. Major search engines store records of queries not only on 
the workstation of the researcher, but also on proxies, firewalls, and search engine 
servers, identifying queries with Internet protocol (IP) addresses. A serial murderer 
in the Midwest was convicted based in part on evidence of searching and mapping 
done on his personal computer (PC). Internet search records could be subpoenaed 
to show bias or unfair treatment. If a pattern of unfair practices were suspected 
(e.g., bias in hiring), the enterprise s Internet search records could be obtained for 
civil or criminal proceedings. 

Although work-related googling is widely allowed, some agencies and enterprises 
have adopted policies about cybervetting. Many forbid or discourage cybervetting. 
A problem created by forbidding cybervetting is that enterprise computers are apt 
to contain vestiges (evidence) of unauthorized web searching by employees, and 

237 


Copyrighted material 


238 ■ Cybervetting 


decisions or conclusions they reach may not be linked to information they found 
online. Even though cybervetting guidelines may need to be more complex than 
simply forbidding the practice, it is better for the enterprise to set conditions for the 
use of search results, and require documentation, to protect against false charges 
of discrimination. In-house investigations are not limited by the Fair Credit 
Reporting Act, but the same set of ethical and legal principles should be applied so 
that employees’ conduct is lawful, dhe bottom line of cybervetting guidance should 
be that online investigations must be authorized and properly documented, and 
actions taken must be based on findings recorded. 


Records 

The overall positive effects of using the Internet as a quick reference tool far out¬ 
weigh the risks of second-guessing the decisions made based on such searches. 
However, when the decisions made could have an impact on people, significant 
assets, or information, the enterprise policy should be to create and maintain busi¬ 
ness records of the process. Among the benefits derived from such documentation 
are protection of process integrity against liability claims for impropriety, a “paper 
trail” from which processes can be improved, and records that can be consulted 
for facts in the future. Because substantive Internet intelligence reporting may be 
provided to several different recipients, combined with results of other investigative 
steps (e.g., interviews), or may be summarized for executive use, it is important to 
have coherent reporting and records retention schemes. What follows is a series 
of recommendations about how open-source intelligence and specifically Internet 
information should be reported. 1 

Ultimately, the client decides the best, most efficient way that findings should 
be conveyed. Experience has shown that when a report is complete but simple 
and straightforward, it has great value. Further, if it is well written, that is, clearly 
worded, holds the attention of the reader, and is grammatical and well organized, 
it is most effective in communicating the essential facts that decision makers need. 


Content 

The first principle of good business and government record keeping is to have a file 
for each case or project, in which a copy is kept of each document, reference, or link 
that was used in the matter. If the issue does not rise to the level of a case or proj¬ 
ect, then it is appropriate to keep a copy of any memo, notes, or correspondence 
in a file on the general topic, indexed for retrieval, should that be necessary in the 
future. Records routinely kept in this manner can resolve many potential issues 
that might arise, including refreshing recollections, documenting actions taken, 
and being available to support or defend against a legal claim. Internet searches, in 


Copyrighted material 



Internet Intelligence Reporting ■ 239 


both raw and finished form, should be preserved in files when appropriate, such as 
when an adverse decision is made or when details could be needed in the future. 
When in doubt, keep a record long enough so that if an issue arises months, or even 
3—5 years, from the file’s creation, the facts about the file’s contents will be known. 
Files containing personally identifiable information should be retained according 
to the enterprise’s schedule for records disposition and destruction. 

Basic principles of business and government reporting should be observed, 
including recording the dates that items are found, the original dates the items 
were created and their authors (if available), the precise locations, and any other 
details that identify and describe the data found, who handled them, and how they 
were preserved. Investigative agencies routinely record the identities of investigators 
and analysts, a summary of how information was obtained, and information dis¬ 
position. Data should be stored in a manner designed to protect their security and 
integrity. By observing such routines, analysts will ensure that the reliability of the 
content is as high as possible and may be qualified as evidence in a court. 

There are several ways to approach report content, based on client needs. One 
type of report is the report by exception, in which known facts and items developed 
that are not expected to have an impact on a decision are omitted from the report. 
Unreported data are still maintained in the file containing the record of the inquiry 
in case someone needs to refer to them, but they are not set out in the case report. 
For example, when the purpose of the report is to ascertain whether there is any 
information available from an Internet search that could have an impact on a hiring 
or clearance decision, the investigator could be told to leave out of the report verifi¬ 
cation of address, employer, telephone number, and so on and even the fact that the 
subject has a Facebook profile. Names of other people not needed for adjudication 
could be omitted. Of course, the report should not contain information identify¬ 
ing the subject as a member of a protected class (race, religion, ethnicity, sex, etc.) 
with few exceptions. However, if the subject’s behavior or documents online show 
that the subject misbehaved (e.g., violated a law, showed bad judgment, mistreated 
someone, or was dishonest), those items would be placed in a report. If there were 
no derogatory findings, the subject’s name could be placed on a list about whom 
there was nothing to report, based on the criteria for the Internet search conducted. 
This approach could be helpful to those enterprises seeking to include cybervetting 
in personnel screening because, although the collection and analysis of Internet 
data may be resource intensive in covering a long list of searches, the reporting is 
simplified for efficiency. 

Another type of reporting is to capture and present any and all information 
found. Information is frequently organized under topical headings like those found 
in an Outlook address book: name, address, telephone numbers, e-mail addresses, 
employer, position, and so on. These headings can be expanded or limited based on 
findings and client requirements and can apply to people, entities, and topics. New 
headings can be created to suit the case, such as arrests, civil suits, online activities, 
news media reports, and so on. When a report is lengthy, it is appropriate to include 


Copyrighted material 



240 ■ Cybervetting 


an executive summary at the beginning, briefly presenting all major results. More 
significant findings, that is, those deemed material to the client, should be priori¬ 
tized by inclusion as early as possible in a lengthy report. 


Analyst's Comments 

When reporting items found online that may need explanation, it is appropriate to 
include an analysts comments. The comments should be set off from the factual 
reporting and clearly indicate their origin and purpose. For example: 


[Analyst’s note: The author of this posting using a name identical with the subjects 
does not appear to be identifiable with the subject because his residence is located 
354 miles from the subjects residence.] 


It is appropriate to include analyst s comments in circumstances such as the 
following: 

■ The item reported may not be true, may not be identifiable with the subject, 
or should be treated skeptically. 

■ The manner in which the item was found could have a bearing on how it is used. 

■ Additional information could place the item in a new light. 

■ Other facts found tend to either confirm or deny the item reported. 

■ An explanation may be needed for a particular type of Internet activity or 
language used (e.g., jargon). 

In the event that an analysts experience could contribute to the interpretation 
of a report but inclusion of opinion in the report itself is inappropriate, a separate 
report cover page or transmittal communication may be used. This is a tradition in 
law enforcement and intelligence reporting when commentary or guidance is added 
to a factual report. In language that clearly separates findings from observations, 
opinions, and possibly suggested guidance, the analyst can set out helpful com¬ 
ments for the client. A (fictionalized) example might be the following: 


In the attached report, references to “PPXX69’s” Facebook and Flickr profiles, 
with the accompanying photos and text, appear to be a series of spoofs, attempts 
at humor and teasing (some of which could be viewed as obscene) by more than 
one person. It was not possible to verify that the subject posted the material or 
whether the content of the photos and text refer to, portray, or are attributable to 
the subject. In the view of experienced Internet analysts, these profiles were not 
intended to be taken seriously. The subject is linked with the items reported by tag¬ 
ging of the subject’s name in several of the photos on Flickr and in the Facebook 
profile and the use of a nickname that appears in other profiles of the subject. To 


Copyrighted material 



Internet Intelligence Reporting ■ 241 


understand or verify the apparently humorous nature of the postings, the subject s 
explanation could be sought. 


During my career, I have had the privilege of participating in every aspect of 
intelligence and investigative collection, reporting, high-level executive recommen¬ 
dations, testimony, all-source assessments, critical infrastructure protection, intelli¬ 
gence analytical management, training, and comprehensive project documentation. 
The most important principle I learned is that decision makers want a report to 
provide the critical facts as clearly and succinctly as possible. Executives look for 
a summary at the beginning, substantial evidence presented in clear writing in a 
well-structured body, and reliable sources for the facts reported. Nonpertinent data 
may be collected and retained until it is confirmed that they are unneeded but 
should not be included in a report. Intelligence reporting may need to include 
items that appear to contradict the central theme or tenor of the evidence because 
not every situation is black and white, and competing versions of the facts may 
be found. Internet and open-source data may contain items deliberately posted 
to deceive, and a key purpose of collection and analysis is to find and weigh the 
credibility of all evidence. In the early twenty-first century, it has unfortunately 
become the norm for some advocates to exaggerate, prevaricate, and deceive to 
convince the public. It is good to remember that, today, the report of open-source 
intelligence is competing with many types of media catching the client s attention, 
so the most effective reports are grammatical, succinct, accurate and convincing, 
and hold the reader s attention. 


Organization and Formatting 

In some types of intelligence assessment (usually at a higher management level), 
it is not only the essential facts that are reported but also the framework for the 
decisions to be made. In this type of document, the report is a summary of all 
the relevant intelligence reporting, and is structured to convey 

■ Facts as well as can be known 

■ Options, with all major choices outlined 

■ Pros and cons for each option 

■ Summary of the evidence for the best option 

■ Recommendation for the option to be chosen 

The decision support report type outlined is similar to the transmittal document, 
in which not only findings but also opinions, assessments, and recommendations 
are provided. However, it differs in that it includes intelligence summaries 
with opinions. 


Copyrighted material 



Internet Intelligence Reporting ■ 243 


Business credit report (e.g., Dun & Bradstreet, if not covered previously) 
History 

News media reports 

As mentioned, topical headings can be added or deleted as appropriate. Some 
individuals and organizations have multiple websites, and online activities may or 
may not be a large portion of the report, depending on such activities. 


Source Citations 

Tliere are two widely used methods of source citations in open-source intelligence 
reports, one in which the sources appear directly beneath the item reported and 
the other in which footnote- or endnote-style superscript numbers or letters are 
appended to the item, referring to a citation appearing in a section at the end of 
each page or, more often, at the end of the report. Normally, citations are not used 
in the executive summary. Sources should be shown wherever possible in the main 
body because, by the nature of open-source reporting, it is possible that doubt or a 
dispute could arise over the accuracy of an items substance. Open-source reporting 
is unlike that from covert or clandestine sources. Most of the time, it is not only 
unnecessary to protect sources and methods in Internet investigative reports but 
also important for the consumer of the report to be able to see the source to help 
judge the reliability of each item. Internet citations should include the URL from 
which the data were collected, allowing the reader to refer to the page. A Portable 
Document Format (PDF) copy of the web page should be placed in an appendix 
to the report, or at least maintained in the case file, in case it becomes necessary to 
review the original source. Because websites may change frequently, the version of 
the page as found should be preserved. 


Attribution 

In reporting an item found on the Internet, the analyst should take care to exam¬ 
ine the basis for attributing the information to the subject. Matching a name may 
not be a strong identification by itself. If attribution is crucial to the value of the 
report, the analyst should not assume that the reader has the same level of convic¬ 
tion that the data are identifiable with the subject. It may be desirable to spell out 
the factors that led to the identification, especially il they are not readily visible 
in the text. If the client is familiar with Internet reports and likely to reach the 
same conclusions based on the information presented, the facts found can be laid 
out without comments. However, if the report may be reviewed by others (e.g., an 
executive concerned with a no-hire decision or withholding of a security clearance, 


Copyrighted material 



244 ■ Cybervetting 


a decision against a merger or pursuing an intellectual property theft case against a 
competitor), it may be prudent to point out the basis of the item s attribution. Following 
is a fictionalized example from an actual case: 

Cornelius McCarthy, using the name Markus Smith, addressed a group of team¬ 
mates in an Internet presentation preserved in an audio recording and posted 
online as part of his activities as a leader in the Hundred Years War massively 
multiplayer online fantasy game. In the audio recording (transcript attached), 
McCarthy used obscenities, racial epithets, and insults for team members as part 
of his role as an army leader. He also urged the team to spend all day and all night, 
as he does, in pursuing online game objectives. 

Source: http://www.hundredyearswar.com/audio/839021hfnaso_4f 
[Analyst s note: The subject was identified by the tag “Pillager” on the audio file at 
the above URL, which is a user name the subject also employed on his MySpace and 
Facebook profiles, as well as revealed in a Variety interview of April 1, 2014, in which 
he asserted that his leadership role in the online game enhances his managerial cre¬ 
dentials at XWR Systems, where he is employed as a software security programmer. 

His true name, user name, and online fantasy war pseudonym are recorded 
together on all of the above profiles found, as well as in the Variety story.] 

The analyst should carefully note and record (if not report) all of the indicators 
used to attribute a finding on the Internet to a particular person or entity. This is 
a good practice even if there is no question asked or denial on the part of a subject 
that it is a valid attribution. Tine analyst will find that there are many ways to link 
an individual or entity with behavior, and often, it only takes an alert observation 
to record ample evidence of the connection. Note that it is possible for a hacker to 
impersonate someone else online and post items that seem attributable, but are not. 
Ultimately, attribution should be verified if adverse action is contemplated. 


Verification 

Attributing a particular behavior or posting to a subject may reflect a single instance 
or may be part of a pattern of behavior. Although it appears that many Internet 
users have multiple virtual identities (user names, nicknames, handles), it is not 
unusual for a person to 

■ List all or many of his or her different nicknames in a Facebook or other profile 

■ Reveal and publish his or her true name and nickname in asingle communication 

■ Use Twitter or e-mail to update a group with a link to a true name and nick¬ 
name together 

Finding the virtual identities used by a subject assists the Internet investiga¬ 
tor to find all or many of the instances where online behavior is observable and 


Copyrighted material 



Chapter 20 


Illicit Websites and 
Illegal Behavior Online 


Introduction 

Internet investigations frequently focus on individuals or organizations to deter¬ 
mine the nature of their behaviors online. Increasingly, investigations of terrorism, 
organized crime, fraud, economic espionage, smuggling, and other serious crimes 
find websites used in criminal enterprises. As the growth of e-commerce reflects 
(estimated at $263.3 billion annually, an increase of 16.9% [±4.9%] from 2012 in 
the United States, according to the Census Bureau), 1 the Internet is a good venue to 
advertise, attract customers, direct prospects to sales sites, proselytize, collaborate 
online, plan and coordinate activities, order goods, and keep track of enterprises. 
Digital goods are especially easy to sell online. Unfortunately, digital goods might 
also include pirated films, videos, music, software, and the like. 


Cybercrime 

Child pornography, unauthorized use of computer systems, and contraband digital 
assets are three examples of crimes that have moved aggressively online. It is worth 
taking a moment, because of the frequency that such cybercrimes are found, to 
outline the difficulties they pose for enterprises, investigators, and the Internet as 
a venue. 


249 


Copyrighted material 


250 ■ Cybervetting 


Child Pornography and Internet Porn 

Child pornography laws in the United States and most of the world generally define 
depiction and possession of images of underage sexual activity as illegal. 2 In the 
United States, federal criminal law in Title 18 US Code Sections 2251—2260 for¬ 
bids production of child pornography (15- to 30-year sentence); selling or buy¬ 
ing children for sexual exploitation (30 years to life); possession, distribution, and 
receipt of child pornography (5- to 20-year sentence); and importation of child 
pornography (10-year sentence). The severity of the sentences alone testifies to the 
seriousness with which the federal criminal justice system treats child pornography. 
Yet, it is all too easy to encounter what appears to be “kiddie porn” online. One of 
the reasons was articulated by the Department of Justice: “Unfortunately, the child 
pornography market exploded in the advent of the Internet and advanced digi¬ 
tal technology. The Internet provides ground for individuals to create, access, and 
share child sexual abuse images worldwide at the click of a button.” 3 Approaches 
to child porn and its relationship with child sexual abuse challenge all levels of law 
enforcement and have inspired collaboration for decades. 4 

The distribution of child pornography anonymously, worldwide via the web, 
has allowed a formerly well-controlled crime to explode from the mid-1980s to the 
present. Ironically, the digital nature of the images has allowed law enforcement to 
discover and verify possession of known illegal porn in the computers and media 
of suspects, facilitating enforcement. However, the wide proliferation of images 
and mingling with other adult materials has created a large burden for the criminal 
justice system. As much as half of federal, state, and local law enforcement com¬ 
puter forensic examinations have involved kiddie porn. Child pornography involves 
explicit photos and videos that can be found in many places, including foreign 
websites offering downloads of images that are illegal to view, possess, or convey 
in America. From the titles and cover photos, even hotel adult videos available on 
demand on room TVs seem to involve underage performers, although technically 
they may be of legal age. Complicating enforcement is the cultivation of adult male 
taste for “young” females engaging in explicit sexual acts, as illustrated by frequent 
use of such terms as coed , schoolgirl , teen , and young amateur girls in porn titles. 
Appearance and dress or undress can make it virtually impossible to ascertain the 
age of the participants to a casual viewer, but seeking youth in porn sites online 
is apt to result in finding illegal materials. 

Because the statutes forbid mere possession of child pornography, Internet 
users must be careful to avoid youthful images. However, the same caution 
applies to investigators, who can inadvertently download child pornography in the 
course of a routine investigation. The National Center for Missing and Exploited 
Children, by an act of Congress, handles reports of child exploitation, including 
child pornography. Further information is available on their website (http://www. 
missingkids.com/home), and specific child exploitation guidance can be found at 
http://www.missingkids.com/Report. 


Copyrighted material 



252 ■ Cybervetting 


nation-states, as well as criminals, have reasons to penetrate enterprise systems. At 
risk for business and government are invaluable IP, secrets, and personally identify¬ 
ing information, as well as significant amounts of cash losses. 6 

As indicated in the studies endnoted previously and numerous media stories, 
large numbers of computer system penetrations have resulted in recent years in the 
theft of millions of users’ identities, 7 financial information, and sensitive personal 
data, as well as money. Many large, market-leading companies have lost computer- 
hosted hardware, software, research, and development data worth hundreds of bil¬ 
lions of dollars. Although the loss and recovery costs are high for personal data, 
they are almost incalculable for data that could lead to the failure of an enterprise 
because of theft of its most valuable technology. In some IP cases of which I am 
aware, market leaders became also-rans in less than a year or two, and the losses in 
jobs, corporate value, and national economic strength totaled many tens of billions 
of dollars. Competition in the world economy depends on our ability to protect 
the private enterprise’s and government agency’s knowledge, skills, and automated 
operations. Some believe that economic warfare is under way between nations will¬ 
ing to support cyber war against competitors and against nations like the United 
States, which are as yet incapable of protecting the automated enterprises of the 
nation and its businesses. In truth, any enterprise or agency depends for its success 
on the ability to resist internal and external cyber attacks and to ascertain how best 
to control its own cyberspace. Because the insiders of each enterprise profoundly 
contribute to or detract from its cyber security, their role is crucial to protection. 

International organized criminals use cyberspace to target individuals and US 
infrastructure, using an endless variety of schemes to steal hundreds of millions of 
dollars from consumers and the US economy. These schemes also jeopardize the 
security of personal information, the stability of business and government infra¬ 
structures, and the security and solvency of financial investment markets. 8 

Among the vital lessons that an Internet intelligence investigator-analyst must 
remember is the likelihood that malicious code will be encountered in all prob¬ 
ability after a certain amount of searching. Further, the role of the analyst might 
be interesting to a cybercriminal for many reasons, not least of which is if he or she 
is under investigation. The data in the analyst’s possession might be sensitive and 
could even relate to the cybercriminal. While Internet information is being col¬ 
lected, it is possible for a sophisticated person or group to detect the collection and 
target the analyst. Among the measures to be considered, therefore, are the use of 
proxies and separate computer workstations for online searching, strong antivirus 
and antimalware, and constant vigilance to detect attacks on the analyst’s systems. 
Some types of investigation could use undercover roles (e.g., virtual identities such 
as e-mail services, social website personae, and masked Internet protocol addresses) 
to help avoid detection by subjects of investigation or others who could pose a 
threat to the analyst. A concerted attack using high-end software designed for pen¬ 
etrating computer systems (e.g., password cracker or malware payloads in ostensibly 


Copyrighted material 



Illicit Websites and Illegal Behavior Online ■ 253 


innocent e-mail) could pose a threat to most computer systems. 9 It is up to the 
analyst and his or her team to assess the nature of the subject they are investigating 
and to take adequate measures for self-protection if there is a likelihood that the 
case could involve black-hat hacking. 


Contraband Digital Assets 

Besides child pornography, there are several other kinds of digital property that 
may be illegal to access, take without permission, possess, sell, alter, or delete. 
Examples include pirated (illegally copied) films, videos, music, video games, and 
software. The Motion Picture Association of America and its think tanks estimated 
that losses to Internet piracy by the film industry are $6.1 billion annually, and 
the US economy loses $20.5 billion annually in 2013 numbers. 10 The Directors 
Guild of America estimated 2010 economic losses of $25 billion. 11 A 2007 study 
by the Institute for Policy Innovation estimated that, each year, copyright piracy 
from motion pictures, sound recordings, business and entertainment software, and 
video games costs the US economy $58 billion in total output, 373,375 American 
jobs, and $16.3 billion in earnings, and costs federal, state, and local governments 
$2.6 billion in tax revenue. 12 The estimated ad revenue of pirate websites in 2013 
was $227 million. 13 Even if these estimates are high or lack a firm statistical founda¬ 
tion, they illustrate the significant damage caused by cybercrime. 

Copyright piracy losses pale in comparison with the damages from annual 
thefts of manufacturers’ IP, including research and development of new products: 
“The scale of international theft of American intellectual property (IP) is unprec¬ 
edented—hundreds of billions of dollars per year, on the order of the size of US 
exports to Asia.” This was over $300 billion according to a report in May 2013 by 
the Commission on the Theft of American Intellectual Property. 14 Various esti¬ 
mates in the past several years also suggested that US losses of IP totaled hun¬ 
dreds of billions of dollars annually, and congressional testimony about Chinese 
cyber espionage against the United States, based on US intelligence community 
stats, estimated annual losses of $338 billion (not only by China). 15 Significant 
portions of data breach losses come from personally identifying information lost, 
including fraud, from the Internet, from hacking, from stolen laptops, and from 
stolen computers. 16 

Because there are too many intangibles to place much weight on these statistics, 
precise quantification of the issue of IP loss is not possible. However, the important 
lesson is that IP theft is a growing crime with much greater impact than others, ben- 
efitting perpetrating countries and companies at the expense of victims and result¬ 
ing in devastating damage to victim companies and their national economies that 
lose their market to a competitor. Prolonged and deep losses of IP can mean the end 
of industries and of a national economy itself, and the 10 million or so Americans 
who have their identities stolen yearly suffer both financially and in terms of faith 


Copyrighted material 



254 ■ Cybervetting 


in the Internet as a safe medium. Internet investigations are crucial to brand and 
IP protection. Early appearances of new products and services based on stolen IP 
can allow a firm or agency to detect the loss and begin addressing recovery. Today, 
it may take only weeks for a competitor to integrate designs acquired through cor¬ 
porate espionage into a new product, and the reverse-engineering process has been 
mastered in parts of the world with weak policing of IP (e.g., China, Southeast Asia, 
parts of the former Soviet Union, Eastern Europe, and Latin America). Although 
civil and criminal law may help protect US corporations from competing products 
based on stolen IP within North America, investigation and recovery in the rest of 
the world can be challenging. 

Among the many examples 17 of significant losses caused by IP economic espio¬ 
nage are the following: 

■ Major cell phones and personal digital assistants 

■ Personal computers 

■ Software, including games 

■ Electronics manufacturing and testing equipment 

■ Automobiles and auto parts 

■ Purses and leather goods 

■ Golf clubs, tennis rackets, sporting equipment 

■ Electronics manufacturing, control, and testing equipment 

■ Aeronautics control systems and software, hardware, and parts 

■ Biotechnology research, including pharmaceuticals 

■ Night vision and distance imaging 

■ Designer clothing 

Periodic reports about knockoffs of high-end watches sold on street corners 
in major cities and on the Internet illustrate the issue. Whether or not a $39 to 
$99 “Rolex” is considered the real thing by a buyer, knockoffs do their damage to 
brands and the sales of legitimate products. Resilient markets for contraband goods 
allow stolen, counterfeit, and diverted products to be sold through both physi¬ 
cal and online outlets. Perhaps the most insidious of these is the Internet market 
for pharmaceuticals. Hundreds of websites offer prescription drugs online, includ¬ 
ing major drugstore chains, mail-order pharmacies, and health insurance plan- 
associated drug providers. 18 Illicit online pharmacies have proliferated in the past 
dozen years, offering generic and discount drugs, with and without a prescription, 
and often pretending to be Canadian pharmacies. American consumers who seek 
discount drugs online can easily be confused about the illicit online pharmacies 
because they look and behave much like legitimate mail-order drugstores. Often, 
the online pharmacies are not in Canada, and drugs they sell are shipped from 
abroad to US customers. Among many examples encountered over the past few 
years are the following: 


Copyrighted material 




Illicit Websites and Illegal Behavior Online ■ 259 


8. Op. cit. 

9. Hacking tools—notice they are also security tools—are described in http://sectools. 
org/ (accessed April 24, 2014). 

10. Bialik, Carl, Putting a Price Tag on Film Piracy, Wall Street Journal, April 5, 2013, 
http://blogs.wsj.com/numbersguy/putting-a-price-tag-on-film-piracy-1228/ (accessed 
April 24, 2014). 

11. Directors Guild of America, spring 2010, http://www.dga.org/craft/dgaq/all- 
articles/1001 -spring-2010/internet-issues-piracy-statistics.aspx (accessed April 24, 
2014). 

12. Siwek, Stephen E., The True Cost of Copyright Industry Piracy to the US Economy, 
Institute for Policy Innovation, IPI Center for Technology Freedom, October 2007. 

13. Moses, Lucia, New Report Says How Much Advertising Is Going to Piracy Sites $227 
million in 2013, Ad Week , http://www.adweek.com/news/advertising-branding/new- 
report-says-how-much-advertising-going-piracy-sites-155770 (accessed April 24, 2014). 

14. Report of the Commission on the "Iheft of American Intellectual Property, May 
2013, National Bureau of Asian Research, including remarks by Dennis C. Blair 
and Jon M. Huntsman, Jr., http://www.ipcommission.org/report/IP_Commission_ 
Report_052213.pdf (accessed April 25, 2014). 

15. Testimony of Larry M. Wortzel before the House of Representatives, Committee on 
Energy and Commerce Subcommittee on Oversight and Investigations, July 9, 2013, 
http://docs.house.gov/ meetings/IF/IF02/20130709/101104/HHRG-l 13-IF02- 
Wstate-WortzelL-20130709-Ul.pdf (accessed April 25, 2014). 

16. Almeling, David, Snyder, Darin, Sapoznikow, Michael, McCollum, Whitney, and 
Weader, Jill, United States: A Statistical Analysis of Trade Secret Litigation in Federal 
Courts, Gonzaga Law Review , March 2010, http://www.mondaq.com/unitedstates/ 
article.asp?articleid=971 50 (accessed May 5, 2010); Yager, Loren, director of interna¬ 
tional affairs and trade, GAO, Intellectual Property, Risk and Enforcement Challenges, 
testimony before the House Judiciary Subcommittee on Courts, the Internet, and 
Intellectual Property, October 18, 2007, http://www.gao.gov/new.items/d08177t.pdf 
(accessed June 1,2010). 

17. Products identified as involved in IP theft are from cases known to me. 

18. I have tracked Internet pharmacies offering drugs to US customers illegally. FBFs 
online pharmacy advice is available at http://www.fbi.gov/page2/march09/pharmacy_ 
030309.html (accessed April 25, 2014). 

19. Markoff, John, and Barboza, David, Academic Paper in China Sets Off Alarms in US, 
New York Times , March 10, 2010 (accessed April 25, 2014). 

20. Chinese Academics’ Paper on Cyberwar Sets Off Alarms in US, New York Times , 
March 21, 2010, http://www.nytimes.com/2010/03/21/world/asia/21grid.html? 
pagewanted=all (accessed April 25, 2014). 

21. Liang, Qiao, and Xiangsui, Wang, Unrestricted Warfare, Senior Colonels , Chinese Peoples 
Liberation Army (Beijing: PLA Literature and Arts Publishing House, 1999). The 
book asserts that warfare is no longer strictly a military operation, that the battlefield 
no longer has boundaries, and information warfare provides asymmetric advantages 
to China; Ventre, Daniel, Chinese Information and Cyber Warfare, April 13, 2010, 
http://www.e-r.info/?p=3845 (accessed April 25, 2014), which noted: “In 1995 the 
General Wang Pufeng, considered as the ‘father’ of Chinese doctrine of Information 
Warfare, said that dhe goal of Information Warfare is no longer the conquest of territo¬ 
ries or the destruction of enemy troops, but the destruction of the enemy’s will to resist. 


Copyrighted material 



260 ■ Cybervetting 


Information Warfare is a war in which the ability to see, to know and to strike more 
accurately and before the adversary, is as important as firepower. In 1997, Colonel 
Baocun Wang added that 

• Information Warfare can be conducted in times of peace, crisis and war; 

• Information Warfare consists of offensive and defensive operations; 

• The main components of Information Warfare are C2 (Command and Control), 
Intelligence, Electronic Warfare, Psychological Warfare, Hackers Warfare and 
Economic warfare.” 

Wortzel, Larry M., commissioner, U.S.-China Economic and Security Review 
Commission, Chinas Approach to Cyber Operations: Implications for the United 
States, testimony before the Committee on Foreign Affairs, US House of Representatives 
Hearing on “The Google Predicament: Transforming U.S. Cyberspace Policy to 
Advance Democracy, Security, and Trade,” March 10, 2010: Lieutenant General Liu 
Jixian, of the PLA Academy of Military Science, writes that the PLA must develop 
asymmetrical capabilities including space-based information support, and networked- 
focused “soft attack,” against potential enemies. Xu Rongsheng, chief scientist at the 
Cyber Security Lab of the Institute for High Energy Physics of the Chinese Academy of 
Sciences, told a Chinese news reporter that: “Cyber warfare may be carried out in two 
ways. In wartimes, disrupt and damage the networks of infrastructure facilities, such 
as power systems, telecommunications systems, and education systems, in a country; 
or in military engagements, the cyber technology of the military forces can be turned 
into combat capabilities.” Liu Jixian, Innovation and Development in the Research 
of Basic Issues of Joint Operations, China Military Science, March 2009, in Open 
Source Center CPP20090928563001; Dongfang Zaobao, July 10, 2009, in Open Source 
Center CPP2009071 0045002; see http://www.internationalrelations.house.gOv/l 11/ 
wor031010.pdf (accessed May 8, 2010). 

22. One site offering both security and hacking tools is http://sectools.org/ (accessed 
April 25, 2014). 


Copyrighted material 



Model Cybervetting Investigative Guidelines ■ 263 


is equally important to verify the applicants honesty and candor and see if there is 
more online (including items posted by others relevant to the subject). 


Model Internet Search Guidelines 

These Internet search guidelines shall be applied when an Internet search is con¬ 
ducted for an investigative purpose, including searches for gathering background 
information to support hiring, promotion, and access to protected data; con¬ 
ducting investigations for due diligence; to protect or resolve security issues with 
information systems; to gather evidence of illegal activities; and for investiga¬ 
tions and intelligence operations conducted at the direction of the legal, human 
resources, information technology (IT), and security departments. 

■ Internet searches will be conducted in a thorough, professional manner 
to achieve optimal results either in-house or through an authorized vendor to 
ensure that they are conducted 

- By trained and experienced personnel using approved systems 
— In substantially the same manner for all individuals of the same type 
or category 

■ In accordance with legal, ethical, and enterprise requirements 
Internet searches will be conducted, to the extent possible, 

■ Efficiently, within the time, information systems, client requirements, and 
up-to-date methodology available 

■ Thoroughly, accessing and retrieving data from as comprehensive an array of 
resources as possible 

■ Accurately, using precise search terms, logical variations, and sound methods 
to find and attribute information correctly 

■ To meet the stated needs of the client within enterprise policy 

Results of Internet searches will be analyzed and reported in accordance with 
the following criteria: 

■ Attribution of information to individual(s) will be supported with evidence, 
including images of web pages found and summaries of references, with 
specifics that verify attribution, along with any indication of limitations or 
conflicts with items attributed to the subject. 

■ Information that could tend to mitigate, refute, or shed doubt on behavior 
attributed to an individual will be reported along with that which is attributed. 

■ Information verifying the subject s background or activities will be reported, 
along with substantive information that conflicts with details provided by the 


Copyrighted material 



266 ■ Cybervetting 


■ Data apparently attributable to the subject without verification 

■ Comparison of data attributed to the subject with known facts 

■ The nature of sources linking subject with derogatory information 

■ The certainty that derogatory information refers to subject and not someone else 

■ The credibility of the websites and postings involved 

■ Potential sources of verification of information derived from postings 

■ Indicators of accuracy or inaccuracy in postings 

■ Mitigating circumstances relevant to analysis of findings 

During a review of adverse findings based on Internet search results, it may 
be appropriate to consider alternatives to actions, such as discharge, denial of an 
employment opportunity, or denial of a clearance in favor of rehabilitation, proba¬ 
tion, monitoring, and training, particularly when the individual is new or unfamil¬ 
iar with AUP standards and the behavior found is unacceptable in the workplace 
but relatively commonplace on the Internet. The purpose of the process is to assess 
whether the subject’s documented past behavior indicates that future behavior can 
reasonably be expected to be of a similar, unacceptable nature or will meet employer 
standards with appropriate guidance. 


Definitions to Consider 

The following definitions should be considered when establishing policy, proce¬ 
dures, and guidelines for Internet searching (cybervetting): 

Consent is an individuals documented acknowledgment or acceptance of speci¬ 
fied conditions. 

The Internet is a worldwide network of interconnected computers. 

Internet posting is placing information online to make it accessible over the 
Internet. 

Internet searching is a process of locating and retrieving data available on the 
Internet. 

Notice is documented communication to individual(s) of specified conditions. 

Verification is the process of confirming facts and evidence, such as obtaining cor¬ 
roboration from different sources or determining direct authorship of a posting. 

Vetting is collection, examination, and evaluation of information for acceptance, 
such as a background investigation on an individual who is a candidate for 
hire, promotion, or granting or maintaining a security clearance. 

Enterprise policies and guidelines for Internet investigations benefit when 
knowledgeable and experienced personnel participate in their formulation, just as 
the inquiries themselves are more effective and efficient when carried out by a group 
that has specialized in them. 


Copyrighted material 



Copyrighted material 



270 ■ Cybervetting 


regulations and withstand possible outside scrutiny . 1 These standards do not pre¬ 
clude accessing open-source information, including Internet searching, for autho¬ 
rized purposes other than investigations. 

Following is a generic enterprise policy for Internet searches: 

Enterprise Internet search standards and guidelines shall be followed when Internet 
searches are conducted on an individual or entity for an investigative purpose, such 
as part of a background investigation (“cybervetting”) on any candidate for employ¬ 
ment, promotion, or access to valuable assets, including information systems. 
Enterprise Internet search guidelines prescribe authorized searchers, procedures, 
and adjudication protocols. Executive approval and documentation are required 
for any exceptions to this policy, which will be in effect until changed in writing. 


Key Considerations 

Following are key considerations for every enterprise regarding the inclusion of 
Internet searching in investigations: 

■ Some individuals may not realize that material posted online may be avail¬ 
able publicly. 

■ Internet activities include fantasy, games, humor, exaggeration, lies, and 
other content that could create a misimpression of a persons behavior, char¬ 
acter, or intent. 

■ Some postings may be intended for private use only and not for broader access. 

■ Some information may concern an individuals protected class, including 
race, sex, national origin, or ethnicity, which is not to be considered in 
employment actions under Title VII of the Equal Opportunity Employment 
Act and related laws . 2 

■ More than one individual may use the same e-mail address or user ID online, 
thus complicating the identification of the person who posted specific materials. 

■ Although a person is accountable for his or her misbehavior, mitigating fac¬ 
tors regarding Internet postings should be evaluated (e.g., humorous items). 


Higher-Risk Candidates 

Certain categories of individuals may be considered to represent a higher likeli¬ 
hood of having relevant Internet materials that could have an impact on enterprise 
decisions or justify cybervetting because they will occupy a more sensitive posi¬ 
tion, including 

■ IT professionals and systems administrators 

■ Website designers, software authors, and programmers 


Copyrighted material 



272 ■ Cybervetting 


Ihey argue that when the applicant understands that prior employers, refer¬ 
ences, associates, and records will be consulted to verify his or her qualifications 
and eligibility for the position, addition of public Internet records is no more intru¬ 
sive than the rest of the background investigation. Those arguing against searching 
without notice point out that some of the posted materials were not intended for 
viewing by prospective employers. No case law appears to back up this argument 
to date. 


Legal Issues 

In the absence of legislation, litigation, and a history of cybervetting, every enter¬ 
prise properly should consider measures to handle those relatively few instances 
(6% to 30% of those cybervetted, in our experience) for which derogatory infor¬ 
mation from Internet investigation could result in an adverse finding. Despite the 
percentages, even one or a few individuals can represent a significant risk of large- 
scale loss. Background investigations, including cybervetting, are often conducted 
only after a conditional offer of employment. In such instances, an adverse decision 
must be documented, and the candidate may be legally entitled to an explanation 
under the Fair Credit Reporting Act and related federal laws and regulations if the 
cybervetting is conducted by a third party. 

The subject is the person in the best position to verify findings, including 
attribution of postings, and explain the behaviors involved. An interview is most 
often appropriate for this purpose and should be a part of enterprise procedures. 
Interviews conducted during the background investigation process are a part of the 
investigation, especially when they concern verification and clarification of infor¬ 
mation discovered online or by other investigation. The honesty of a candidate 
in providing information to an employer is critical. However, for those heavily 
involved in Internet use, including e-mail, instant messaging, websites, profiles, 
social networking, and so on, it may be difficult to remember all the details of 
activities over the past 7 years or more. For example, e-mail addresses no longer 
used by an individual may be forgotten, and failure to list a forgotten e-mail address 
on an application form may not be dishonest (any more than forgetting a street 
address). One reason for an interview about Internet activities might be to refresh a 
candidate s recollection about dated postings, virtual identities, or online activities 
not included on a form but found during an Internet search. 

When an Internet investigation and subject interview leave an enterprise with 
unresolved issues, there are options short of rejection of a candidacy that may be 
appropriate. Some government agencies have asked a candidate for a high-level 
clearance or law enforcement position to demonstrate on his or her personal 
computer the nature and extent of online activities. In the case of a Bozeman, 
Montana, city requirement for applicants to provide passwords for access to their 
online accounts, a firestorm erupted in June 2009 at this intrusion into private 


Copyrighted material 



A Model Internet Investigation Policy ■ 275 


Consent 

I authorize the inclusion of cybervetting in a background investigation to deter¬ 
mine or verify eligibility and qualifications for the position sought. 


(Signature) 


Questionnaire 

Candidates should provide answers to the following questions: 

List all online communities in which you are an active member. 

List any e-mail addresses that you have used in the past 7 years. Remember 
to include college, military, and Internet service provider (ISP) e-mail 
addresses. Include all personal, work, school, organizational, military, cell 
phone, and instant messaging e-mail addresses. List the type and whether it 
is current or shared by another user. 

List any screen names, handles, or nicknames used online not listed above. 

List your own websites, blogs, or other personal profiles that are online (e.g., 
Facebook, MySpace, www.yourname.com). 

List anyone who shared the use of an e-mail address, or access to the same 
computer with you, including your spouse or significant other(s), family, 
roommates, and so on. Explain. 

Have you ever been disciplined or penalized by an ISP or information systems 
owner for failure to abide by an AUP? If so, explain. 

Have you ever been denied Internet or other information systems services? If 
so, explain. 

Have you ever knowingly violated laws, regulations, or the rules or AUPs of 
an information system provider, including work or home Internet service? 

Have you created computer programs, configured or managed information sys¬ 
tems, or otherwise participated in computer systems administration? If so, 
briefly describe. 

Have you ever been accused of or been responsible for an information systems 
outage, failure, intrusion, or security incident? If so, describe. 

Have you ever participated in unauthorized file sharing, unauthorized access to 
digital content (e.g., software, music, movies, files), or similar unauthorized 
systems activities? If so, explain. 

Have you ever connected unauthorized devices (including memory media, 
modems, personal digital assistants, wireless Internet, cell phones, music 
pods, tablets, etc.) to an information system belonging to an employer or 
someone else? If so, explain. 

Please make any comment or statement you would like to add about your his¬ 
tory of computer systems and Internet use. 

These suggested forms are not intended to provide all-inclusive, legally vetted 
wording for all businesses and government agencies, but they are a starting point 
from which policies and procedures can be created. 


Copyrighted material 



276 ■ Cybervetting 


Notes 

1. The Internet investigation policy presented here was developed in the course of my 
consulting for business, government, and academic clients over the past 8 years. 

2. Federal job discrimination laws summary, http://www.eeoc.gov/facts/qanda.html 
(accessed April 25, 2014). 

3. McCullagh, Declan, Want a Job? Give Bozeman your Facebook, Google Passwords, 
CNET News , June 18, 2009, http://www.cnet.com/news/want-a-job-give-bozeman- 
your-facebook-google-passwords/ (accessed April 25, 2014). 


Copyrighted material 



Chapter 23 


A Model Internet 
Posting Policy 


Government agencies, businesses, and other organizations should consider adding 
instructions on Internet posting to their authorized use policy, employee hand¬ 
book, confidentiality agreements, and disciplinary procedures. Employees, con¬ 
tractors, and other authorized users can post to the Internet from work and from 
home, and items online can be destructive to the enterprise if they are untrue, 
unauthorized, or illicit. Anonymous slander of businesses and agencies is relatively 
common online, posing challenges, including identification of the perpetrator and 
a response to contain the potential damage. The following is a succinct statement 
of a model posting policy 1 : 

The Internet is important to us as individuals and to our enterprise because so many 
people communicate and rely on information they find online. False, inaccurate, 
slanderous, or illicit postings can be damaging to the enterprise, our suppliers, 
partners, and our customers. We depend on our communications, marketing, and 
human resources departments to post enterprise messages online, including on our 
website and on other websites. Because of the risk of mixed messages, miscommu- 
nication, and unlawful and damaging data online, all employees and contractors 
are required to adhere to the following: 

■ Enterprise e-mail addresses and official titles are not to be used in Internet 
postings or communications except as part of approved business functions. 

■ Internet postings and communications should not include references to the 
enterprise without prior coordination with and approval from the appropri¬ 
ate department and your manager. 


277 


Copyrighted material 


A Model Internet Posting Policy ■ 279 


name, or anonymously. The personnel and security departments should formulate 
an approach that anticipates and mitigates the risk that a disgruntled employee 
could use the Internet to attack the enterprise. Case law supports the enforcement 
of confidentiality agreements in such cases. 

Employees and contractors have a First Amendment right to express themselves 
as they wish, and experience has shown that references to employers online are over¬ 
whelmingly positive. Authorized Internet postings should be encouraged, including 
those on professional business websites likely to cast the enterprise and the employee 
in a positive light. Nevertheless, there should be sufficient direction in behavioral 
standards and guidelines to discourage improper and unlawful Internet postings. 

Note 

1. The Internet posting policy presented here was developed in the course of my consult¬ 
ing for business, government, and academic clients over the past 8 years. 


Copyrighted material 



Chapter 24 

Internet Intelligence Issues 


Introduction 

This book does not pretend to solve all the issues surrounding Internet investiga¬ 
tions, cybervetting, and intelligence, but it will allow any practitioner or organi¬ 
zation to establish the foundation for sound methodology, policies, and procedures. 
The urgency of the need to address Internet behaviors and data available online is 
illustrated in this book, but perhaps a bit more discussion would be useful for both 
cyber investigations and ethics. 


Privacy 

Discussing Internet searching with an executive officer of a law enforcement, intel¬ 
ligence, or security function elicits the view that their agencies are free to use the 
Internet to collect public information about an individual or entity without ques¬ 
tion. The same discussion with corporate clients and attorneys, and some govern¬ 
ment attorneys, for the past 8 years has elicited different views, as have the relatively 
few published court and academic legal opinions. Uncertainty over what privacy 
means on the Internet has paralyzed individuals and organizations, who under¬ 
stand the issue of web postings’ potential threat to an enterprise’s well-being, and 
that paralysis means that there are no Internet search standards. Despite the favor¬ 
able view in the courts (see Chapter 8) that public postings are not protected, doubt 
persists. Internet searching as an area of professional practice has probably suffered 
because of this uncertainty. 

The International Association of Chiefs of Police (IACP), in conjunction with 
the Department of Defense Personnel Security Research Center (PERSEREC), 

281 


Copyrighted material 


282 ■ Cybervetting 


conducted a study to determine appropriate guidelines for developing cybervetting 
and Internet posting policies for law enforcement and the intelligence commu¬ 
nity (IC). The IC guidelines remain unpublished, but their contents are essentially 
the same as the December 2010 publication, “Developing a Cybervetting Strategy 
for Law Enforcement,” available from IACP. 1 Because the study carefully involved 
legal, privacy, human resources, law enforcement, and intelligence experts and 
aimed for a balanced approach acceptable to a consensus of sometimes-opposing 
views, the guidelines represent the best effort of all stakeholders and authorities. 
They remain, so far, unique in available guidance for any organization. 

The Privacy Act of 1974 as amended (5 U.S.C. 552a) does not contain a defini¬ 
tion of privacy, and the act itself restricts federal government maintenance and dis¬ 
closure of information about individuals and permits people to access and correct 
records about themselves. Generally, federal and state laws, and decisions upholding 
privacy rights, recognize a “right to be left alone” and to have a “reasonable expec¬ 
tation of privacy” in ones home and certain other nonpublic places. 2 Computers, 
networks, and the Internet create additional venues where it is necessary to gauge 
the extent to which an individual has a reasonable expectation of privacy. 

A working definition of Internet privacy is the ability to control the information 
revealed about oneself on the Internet, which implies that a person has the right to 
post items in a restricted manner without fear that those items will be used in a way 
that the person did not intend. 

This concept, however, confronts the physical world’s legal standard of “plain 
view” because anyone, including government authorities, have a right to collect and 
act on what can be seen in plain view. In fact, law enforcement is sworn to act 
on unlawful behavior, contraband, and other illicit observations in plain view— 
ignoring criminal behavior is not an option. Regardless of the intentions of the indi¬ 
vidual uploading content to the Internet, if the posting is placed in plain view, there 
is no reasonable expectation of privacy. At least two layers of plain view exist, in my 
opinion: items that a poster intends for a number of other persons to see and items 
that are protected from display to all but a very few persons (or only their proprietor). 
In either case, when privacy is invoked by the requirement to use authentication for 
access (e.g., a user name and password), then there is an expectation of some degree 
of privacy. One could argue that on Facebook, for instance, there is no expectation 
of privacy on a public profile—it is in plain view. On a profile visible to all 1 billion- 
plus Facebook users, again, there is no reasonable expectation of privacy. On a profile 
visible to a large number of “friends” (e.g., 30 or more people), it would be difficult to 
argue that the poster has effectively kept the materials to himself or herself. Only if 
the posted items are restricted to a small group could the poster expect that they are 
private, although anyone of the group viewing the items could theoretically reveal 
them to others, for example, by copying and posting them in a public forum. For all 
such postings, the objective test of privacy is whether the public or other people have 
free access to them. Although the intent of the poster is important, if the materials 
are visible to others, they are not private. They are in plain view. 


Copyrighted material 



Internet Intelligence Issues ■ 283 


dhe plain view description provided is complicated by the unintended conse¬ 
quences of posting on a site where programs may make items visible, or actively 
disseminate them, to other viewers. For instance, Facebook has introduced sev¬ 
eral privacy settings changes (and rescinded some under user pressure) that caused 
a persons postings to appear on his or her friends' profiles. Another example is 
Linkedln updates on contacts, which create thumbnail entries in a users home 
page whenever a contact does certain things, such as update his or her photo or 
profile. The attempt to market through social and business networking sites also 
makes users' data available to businesses affiliated with them. All of these fly in the 
face of privacy and the user’s ability to control the dissemination of the data posted. 

It is useful to consider the mechanisms used to protect the privacy of the informa¬ 
tion stored on a website in assessing whether it is in plain view. When a posted item 
is indexed by a search engine and displayed in search results to all users, it is clearly 
in plain view. Because the same method (user name and password) is employed to 
protect one’s banking and credit transactions, society has come to accept this form 
of authentication as a protective barrier, behind which data remain private. You 
log on to the bank website. You log on to Facebook, MySpace, or whatever social 
site. However, there are at least two modes of protection when log-on credentials 
are needed: information exposed to all or a substantial number of members who 
can also log on and that body of postings to which access is supposed to be denied 
except by express permission of the user. Just because the authentication is similar, 
that does not mean that Facebook data enjoy the same privacy protection as online 
banking. Clearly, items posted on social sites do not enjoy protection from those 
with authorized access, in the inner circle of the individual’s profile, and from any 
programming designed to share data by pushing it to others online. It is the nature 
of the exposure allowed by the poster, within the access allowed by the website, that 
determines the degree of privacy reasonably expected for data placed online. 

For investigators, the plain view approach to privacy is both ethical and fair. If 
a user is naive or unlucky or ignorant enough to broadcast—actually publish—data 
that are of use to an inquiry, then it is appropriate for the investigator to find and 
collect them. Users overwhelmingly choose little or no protections for postings 3 
and therefore have no claim to privacy of their published data in plain view— 
although recent surveys show that while teens are more apt to post many personal 
details, adults increasingly desire to protect their information online, realizing that 
many personal details about them are available on the public Internet. 


Smoking Guns 

Some agencies and companies have made an effort to discover the types of materi¬ 
als posted that could pose a danger or problem for them as an employer. In every 
instance, it has been possible to find publicly visible, outrageous behavior online. 
Examples of the kinds of problems that arise were provided previously and include 


Copyrighted material 



Internet Intelligence Issues ■ 285 


without permission, to sale and purchase of stolen property. Most illicit sites are 
part of the “dark Web,” that is, they are not indexed by Google and will not appear 
in casual Internet search results. Many users of the illicit websites will engage in 
illegal activities without ever being brought to justice. Frequently, the pseudonyms 
(handles) used in illegal transactions are also found in postings that allow identi¬ 
fication of the individuals using them. By correlating the results of astute searches 
with identifying information on hand, analysts can identify those involved in 
online misbehavior, especially if they are sloppy and prolific posters. 

In addressing the issue of what would constitute a comprehensive view of 
the Internet, an enterprise may wish to consider which illicit websites may pose 
a threat. Habitual users of such websites would probably represent an unaccept¬ 
able risk. For example, an individual in the habit of sharing digital films or music 
outside copyright restrictions would be a high-risk hire for a movie or recording 
studio. An animal rights protester would be a risky new employee at a pharma¬ 
ceutical research firm engaged in animal testing. A bank would not want to hire 
someone who bought and sold stolen credit card information online. As part of its 
own security protection, an employer may wish to analyze those websites posing the 
greatest threat and document, to the extent possible, those individuals known to 
use the sites. There are Internet intelligence firms that offer the capability of search¬ 
ing the virtual identities of candidates against data captured from the deep web. 
Intelligence of this type can be crucial in background vetting. 

As Internet investigations mature, there are at least several types of due dili¬ 
gence that will be added to those routinely conducted today: 

■ A thorough, automated search of Internet-accessible sites and databases for 
references to a subjects true name, virtual identities, activities, and associates. 

■ A search of captured data from illicit websites continuously maintained by 
Internet intelligence service providers (probably private, not government). 

■ A defensive scan of Internet activities by employers (or their outsourced ser¬ 
vice providers) to find postings potentially dangerous to the enterprise. This 
is done today for such purposes as brand protection, market assessment, and 
stock monitoring. 

It is likely that services such as those described will be provided by the same 
large data vendors that today furnish government and business with intelligence 
from large files on people and businesses. Small service providers will include pri¬ 
vate investigators and researchers. 


Adjudication 

All investigative and intelligence work requires a customized, actionable product, 
presented in a timely fashion to a decision maker. The Internet age has made the 


Copyrighted material 



288 ■ Cybervetting 


6. Troy, Thomas F., Donovan and the CIA: A History of the Establish?ne?it of the Central 
Intelligence Agency (Frederick, MD: University Publications of America, 1981). 

7. Pew Internet and American Life, Anonymity, Privacy and Security Online, September 
2013, and other Pew studies, see http://www.pewinternet.org/2013/09/05/anonymity- 
privacy-and-security-online/ (accessed April 26, 2014). 


Copyrighted material 



Index 


A 

Abuse online, see Crime and misbehavior 
online 

Activism, 201 

AdvancedBackgroundChecks, 218 
Adventure junkie, 33 
Aggregator websites (Web 2.0), 218 
AI, see Artificial intelligence 
AltaVista, 194 
Amazon, 53, 203 

Americans with Disabilities Act, .88. 

America Online (AOL), 10, 27, 75, 104 
chat, 206 
e-mail, 28, 137 
Analysts Notebook, 227 
Anonymous identity, 106 
AnyWho.com, 219 
AOL, see America Online 
Artificial intelligence (AI), 230 
ASIS standards, 128-131 
background checking, 128 
CareerBuilder study, 129 
government records, 130 
identification and attribution, 131 
job requirements, 128 
risk to privacy, 129 

unlawful discrimination in hiring, 128 
Ask.com, 10, 194 

Association of Internet Researchers, 132-135 
assumptions, 133 
ethical pluralism approach, 132 
fair game, 134 
guidelines, 132-133 
legal requirements, 133 
public forum participants, 134 
questions of disclosure, 132 
utilitarian, 134 


valuable concepts, 133 
virtual worlds, 132 

AT&T, national white and yellow pages, 219 
AUP, see Authorized use policy 
Authorized use policy (AUP), 3 
constitutional rights, 84 
enterprise strategy, 261 
Facebook, 198 

liability for service providers, 76 
Automated searching, 225—236 
best-in-class desktop tool, 229 
caching and data mining, 232-233 
daunting task, 232 
great equalizer, 233 
HyperText Markup Language, 232 
search utilities, 232 

enterprise search middleware, 227—228 
analytical and visualization tools, 227 
data mining, 227 

enterprise database software tools, 227 
intranet applications, 227 
targeted markets, 228 
web crawling, 228 
homegrown solution, 231 
human interface in Internet investigations, 

233-235 

collection of intelligence, 233 
ethics, 234 
lessons learned, 233 
open-source intelligence, 235 
pretexting, 234 
privacy, 234 

undercover operators, 233 
investigative search tool requirements, 

229-231 

artificial intelligence, 230 
databases, 229 


289 


Copyrighted material 












290 ■ Index 


government agencies, 230 
LexisNexis, 229 

true references, identification of, 229 
metasearch tools, 223 
middleware, 225 
purpose, 226 

capabilities, 226 
core processes, 226 
list of websites, 226 

reducing analytical time using automation, 
231-232 

logic and intuition needed, 232 
multitask process, 231 
new practitioner, 231 
software types, 225 

B 

Babcl.com, 206 

Behavior online, 25-38 

connections and disconnecting, 34-36 

attempt to expunge revealing references, 

36 

business and government leaders, 36 
cottage industry, 35 
“eighty best friends,” 34. 
removal of embarrassing materials from 
websites, ,35 

evolution of Internet uses, 29—34 
adventure junkie, 33 
BYOD, 32 

demographic data. 30 
handheld devices, 31 
highest percentages of Internet use 30 
increased bandwidth, 29 
mobile tools, 31 
online role-playing game, 33 
Internet use growth, 25—29 

blocking of employee Internet surfing, 29 
core vulnerability. 28 
derogatory information, 26 
destructive increase, 25 
e-mail providers, 28 
most popular websites in the United 
States, _28 

personal online activities at work, 27 
phenomenon, 25 
social engineering, 27 
social networking sites, 26 
user passwords, 28 
wireless telephone networks, 27 
physical world, virtual activities, 34 


Behavior and technology, 1—2 
changes in Internet use, 1 
employees, 1 

implications of illicit behavior, 1 
Best practices, 49 
Better Business Bureau, 214 
Bing, 10, 27, 194 

intentions driving, 71 
search software provided by, 205 
Black-hat hackers, 44, 251, 257 
Blogs, 205 
Botnets, 173, 251 
Brain trust, exodus of, 81 
Brick-and-mortar business, 72 
Bring your own device (BYOD), 32, 121 
Business-related sources, 214-215 
BYOD, see Bring your own device 

c 

Cached pages, 193 
Caching, data mining and, 232-233 
CAGR, see Compound annual growth rate 
California Database Protection Act (CDPA), 89 
CareerBuilder study, 129, 284 
CDPA, see California Database Protection Act 
Central Intelligence Agency (CIA), 86, 286 
Children’s Online Privacy Protection Act 
(COPPA), 88 

CIA, see Central Intelligence Agency 

City of San Diego v. Roe , 99 

Civil litigation, 154 

Civil Rights Act of 1964, 78, 88 

Clinton, William, 118 

Cloud 

services, 4. 

stolen document stored in, 68 
Clusty.com, 195 

Commercial searching, see Search techniques 
Compound annual growth rate (CAGR), 4 
Computer Fraud and Abuse Act, 44, 87, 110 
Computer Security Act of 1987, 88 
Confrontational interview, 245, 246 
Consumer Privacy Bill of Rights, 118 
Copernic, 215 

Agent Personal, 229 
Agent Professional, 229 
search software provided by, 205 
COPPA, see Children’s Online Privacy 
Protection Act 

Copyrighted works, exchange of, 45 
Corporate contraband, 77 


Copyrighted material 







Index ■ 291 


Corporate data mining, 227 
Cracker method for intrusions, 144 
Craigslist, 203 

Crime and misbehavior online, 39-47 
by the numbers, 40-41 

“bottomless pit” of relentless crimes, 4l 
criminal conspiracies. 40 
reporting of Internet crime, 41 
types of criminal investigations, 40. 
digital delinquency, 42 
electronic evidence linked with Internet 
protocol connectivity, _39 
FBI computer forensic laboratories, 39 
“free” intellectual property, 42—44 
anti-cybercrime enforcers, 43 
black-hat hacker, 44 
digital records, AA 
digital rights management, 43 
gray-hat hacker, AA 
law enforcement, struggle of, 43 
prosecutorial choices, 43 
white-hat hacker, 44- 
insider, 44-43 

copyrighted works, exchange of, 45 
digital evidence, 45 
Internet advertising, 45 
privileged access, AA 
risk of loss from insiders, AA 
trend toward indiscreet behavior, 45 
Internet Crime Complaint Center, 40 
Internet of things, 39 
misbehavior online, 46 
online venues, 41-42 

criminal enterprises, facilitation of, 42 
employer responsibilities, 41 
Internet Relay Chat, 41 
organized Internet crime, 42 
threats, 39 

Cromer v. L exi ngto n - Fayette Urban County 
Government , 108 
Customized subtasks, 177 
Cyber bullying case (first US), 110 
Cybercrime, 249-255 
botnets, 251 

child pornography and Internet porn, 

250-251 

contraband digital assets, 253—255 
dumpster diving, 251 
examples, 249 

international organized criminals, 252 
knockoff watches, 254 
malicious code, 252 


unauthorized use of computer systems, 

251-253 

zombie, 251 

D 

Dark Web, 285 

Data mining, 14, 227, 232-233 
Davis v. Gracey , 102 
Decision engine, 194 
Deep web business search, 214 
Demographic data, 30 
Dialog.com, 215 
Digital forensic evidence, 62 
Digital rights management (DRM), 43, 65 
DNS, see Domain Name System 
Doe v. 2TheMart.com , 105 
Dogpile.com, 195 
Domain Name System (DNS), 190 
Domestic principles, see International and 
domestic principles 
Driver s Privacy Protection Act, -88- 
DR M, see Digital rights management 
Dumpster diving, 251 
Dun &C Brad street, _222 

E 

EarthLink, 104 
Economic espionage. 141 

ECPA, see Electronic Communications Privacy 
Act of 1986 

Electronically stored information (ESI), 111 
Electronic Communications Privacy Act of 
1986 (ECPA), 87 
E-mail providers, _28 
Employee Polygraph Protection Act, ,88. 
Employees 

accountability for, 79-81 
administrative sanctions against, 284 
blocking of Internet surfing by, 29 
compromise of insider account, 28 
dismissal, 106 
employer liability and, 61 
employer monitoring of online misbehavior, 
60 

felony crime committed by, 80 
illicit behavior on the Internet by, J_ 
irresponsible, 137 
millennial, 137 

Endicott Interconnect Technologies Inc. v. 

National Labor Relations Board , 106 


Copyrighted material 


292 ■ Index 


Enterprise, see Implications for the enterprise 
Equal Employment Act, 60 
Equal Employment Opportunity Commission, 
&& 

Equal Opportunity Employment Act, 270 

ESI, see Electronically stored information 

Espionage cases, 79 

EU Data Privacy Protection Act, 93 

Exalead, search software provided by, 205 

Excel database, 232 

ExpertRank, 194 

F 

Facebook, 53, 282 

authorized use policy, 198 
quantity of data uploaded, 13 
“Face time” video telephone calls, 75 
Factiva.com, 215 

Fair Credit Reporting Act (FCRA), 15, 60, 86, 
110, 128, 238, 272 
False social networking profiles, 18 
Family Educational Rights and Privacy Act, 88 
FatCow.com, options for website owners, 220 
FBI, see Federal Bureau of Investigation 
FCRA, see Fair Credit Reporting Act 
FDA, w Food and Drug Administration 
Federal Bankruptcy Act, 88 
Federal Bureau of Investigation (FBI), 255 
agents, arrest of,J8H 
collection of information by, 125 
computer forensic laboratories, 39 
Director, 39 

Federal Information Security Management Act 
(FISMA), 87 

Federal Rules of Evidence and computer 
records, 91—93 

admissibility and authenticity of evidence, 

91 

authentication and veracity, 93 
case law, 93 

hearsay rule, exception to, 92 
First Amendment right, 279 
FISMA, see Federal Information Security 
Management Act 
Flash Player, 189 
Flickr, 52, 218 

Food and Drug Administration (FDA), 186, 
255 

Friend feed, 218 


G 

Garcetti v. Ceballos , 99, 106 
Geolocation-based services, 203 
Gigablast, 194 

GoDaddy.com, options for website owners, 220 
Google, 27, 53 

e-mail, 28, 137, 221 
hacks, 193 

intentions driving, 71 
search software provided by, 205 
Government sources, see Sources (finding) 
Gramm-Leach-Bliley Act of 1999, 15, 86 
Gray-hat hacker, AA 
Griffin v. State of Maryland, 99 
Guidelines, see Model cybervetting investigative 
guidelines 
GuideStar, 213 

H 

Handheld devices, 31 
Hanssen, Robert, 67, 80, 143 
Health Guide USA, 213 
Health Insurance Portability and 

Accountability Act of 1996 
(HIPAA),D, 86 
Hearsay rule, exception to, 92 
HIPAA, see Health Insurance Portability and 
Accountability Act of 1996 

Hiring 

gold standard for, 60 
unlawful discrimination in, 128 
Homeland Security Act of 2002, 87 
Hoover, J, Edgar, 150, 286 
Hotmail. 28 

HTML, see HyperText Markup Language 
HyperText Markup Language (HTML), 189, 
232, 264 


1 

IACP, see International Association of Chiefs 
of Police 

ICQ, 206 

Illicit websites and illegal behavior online, 

249- 260 

cybercrime, 249—255 
botnets, 251 

child pornography and Internet porn, 

250- 251 


Copyrighted material 









Index ■ 293 


contraband digital assets, 253—255 
dumpster diving, 251 
examples, 249 

international organized criminals, 252 
knockoff watches, 254 
malicious code, 252 
unauthorized use of computer systems, 

251-253 

zombie, 251 

information (cyber) warfare, 256-258 
attribution, 257 
background of, 256 
great equalizer, 256 
humanity, 258 

journeymen cyber warriors, 257 
major attacks, 256 
pirated goods, 249 

Implications for the enterprise, 59—70 
employer liability, 61—62 

attribution of documentation, 62 
deep pockets, 61 
digital forensic evidence, 62 
illicit employee behavior, 61 
potential cost in lost bandwidth, 62 
technospeak, 62 

evolving personnel security model, 65—69 
admitting prior misbehavior, 67 
candidate trustworthiness, 66 
computer misuse at home, 67 
digital rights management, 65 
insider as traitor, 67 
post-September JJ_ (2001) impetus, 65 
scrutiny, 65 
sociological trends, 66 
new user (trust), 60-61 
cell phones, 60 
employer issues, 61 
gold standard for hiring, .60. 
recent trends, .60 
value of enterprise data, 61 
social media vetting, studies of, 59 
surveys, 59 

vetting, monitoring, and accountability, 

62-64 

attribution for online misbehavior 

controversy, 62 

cynics, 63 

privacy, 63 

social contract, 63 

user accountability policy, &A. 

IM services, see Instant messaging services 


iNameCheck cybervetting case study, 54-57 
Adjudicative Guidelines, 54_ 
derogatory findings, 54, 55 
implications of review, 56 
important observations, 56 
serious risk, 56 

Information (cyber) warfare, 256—258 
attribution, 257 
background of, 256 
great equalizer, 256 
journeymen cyber warriors, 257 
major attacks, 256 
Insider threat, 141—145 
agency leaders, 142 
benevolent big brother, 143-144 

cracker method for intrusions, 144 
inevitable balance, 144 
insider threat solution, 143 
need for good behavior online, 144 
social engineering, 144 
economic espionage, comparison to, JA1 
“friending” applicants, 142 
narrow thinking, 142 
Instant messaging (IM) services, 216 
Intelligence issues, see Internet intelligence 
issues 

Intelligence reporting, see Internet intelligence 
reporting 

International Association of Chiefs of Police 
(IACP), 281 

International and domestic principles, 117—126 
government standards, 122-125 
candidate disclosure, 124 
clearance standards, 123 
Executive Orders, 123 
explicit authority, 125 
Joint Security Commission, 124 
personnel security measures, 124 
Public Internet postings, 124 
parallel guidance (Internet research ethics), 
125 

US and international privacy principles, 
117-122 
BYOD, 121 

collection and use of information, 
principles of, 117 
communications, 122 
Consumer Privacy Bill of Rights, 118 
executive order, 118 
mitigating factors, 119 
mobile devices, proliferation of, 120 


Copyrighted material 


294 ■ Index 


reliability factor, 118 
socially irresponsible behavior online, 
119 

U.S. Government information system, 
conditions of, 121 
whole person concept, 118 
Internet advertising, 45 
Internet Crime Complaint Center, 40 
Internet intelligence issues, 281—288 
adjudication, 285-286 
lessons learned, 286 
true facts, 286 

completeness of Internet searching, 

284-285 
dark Web, 285 
due diligence, 285 
illicit websites, threat of, 285 
privacy, 281-283 
Facebook, 282 
intelligence community, 282 
Internet privacy, working definition of, 
282 

plain view description, 283 
public postings, 281 
smoking guns, 283—284 

administrative sanctions against 
employees, 284 
CareerBuilder study, 284 
cost of cybervetting, 284 
outrageous behavior online, 283 
Internet intelligence reporting, 237—247 
analyst’s comments, 240-241 
circumstances, 240 
critical facts, 241 
example, 240 

inappropriate opinion, 240 
attribution, 243-244 

bottom line of cybervetting guidance, 238 
content, 238—240 

information capture, 239 
principles of reporting, 239 
records keeping, 238 
ways to approach, 239 
organization and formatting, 241—243 
decision support report type, 241—242 
report on a company, 242 
report on a person, 242 
structure, 241 
topical headings, 243 
paper trail, 238 
records, 238 
serial murderer, 237 


source citations, 243 
verification, 244-247 

confrontational interview, 245, 246 
friending the subject, 246 
friendly stranger, 246 
inability to verify report, 245 
open-source intelligence, 247 
virtual identities, 244 
work-related googling, 237 
Internet privacy, working definition of, 282 
Internet Relay Chat (IRC), 41, 16, 206 
Internet searching, framework for, 147 
Internet search methodology, 177 
Internet service provider (ISP), 71, 87, 221 
Internet’s potential for investigators and 
intelligence officers, 3—23 
authorized use policy, 3 
finding the needles, 19 
growth of Internet use, 4-12 
cloud services, _4 

compound annual growth rate, 4, 6 
demographics of Internet users, 1_ 
digital evidence, 9-10 
diversity of Internet use,_4 
googling applicants, 10 
implications, j) 
new neighborhood, 11 
nonbusiness activities,^ 
objection to cybervetting, 11 
record of past behavior, 11 
role-playing games, 9 
search engines, evolution of, 10 
social networking, 12 
Internet posts and the people they profile, 
16-18 

false social networking profiles, 18 
Internet Relay Chat, 16 
personal profiles, 17 
third-party postings, example of, 18 
need for speed, 19—20 

counterproductive investigative 
methods, 19 
phenomenon, 20 
search and analysis tools, 19 
practitioner’s perspective, 12-13 
dossier, _F3 

marketing and sales, 13 
open-source information, 12 
professionals, 13 
profiling, 12 
public availability, 3 


Copyrighted material 





Index ■ 295 


search, 13—16 

casual searching, 16 

Facebook, quantity of data uploaded, 13 
global data created and replicated, 13 
haunting conclusion, 14 
number of queries made, 14 
personal approach to searching, 15 
telephone directory, Internet as, 16 
sufficiency of searches, 20. 

Internet of things, 39 
Invasion of privacy torts, 107 
Invisible Web, 181, 185 
IRC, see Internet Relay Chat 
ISP, see Internet service provider 

J 

JavaScript, 189 

Joint Security Commission, 124 
Journeymen cyber warriors, 257 

K 

Kindle (Amazon), 203 
Knockoff watches, 254 
Konop v. Hawaiian Airlines, 102 


Laws, 83-96 

Americans with Disabilities Act, £8. 
California Database Protection Act, 89 
Childrens Online Privacy Protection Act, 

M 

Civil Rights Act of 1964, 78, 88 
Computer Fraud and Abuse Act, 44, 87 
Computer Security Act of 1987, 88 
constitutional rights, 83-85 
authorized use policy, 84 
illegal collection of information, 84 
litigation, 84 

Drivers Privacy Protection Act , OR 
Electronic Communications Privacy Act of 

1986, 8Z 

Employee Polygraph Protection Act, .88. 
Equal Employment Act, 60 
Equal Opportunity Employment Act, 270 
Fair Credit Reporting Act, 15, 60, 86, 128, 

238,272 

Family Educational Rights and Privacy 
Act, .88 

Federal Bankruptcy Act, 88 


Federal Information Security Management 
Act,_8Z 

Federal Rules of Evidence and computer 
records, 91-93 

admissibility and authenticity of 
evidence, 91 

authentication and veracity, 93 
case law, 93 

hearsay rule, exception to, 92 
Gramm-Leach-Bliley Act of 1999, 15, 86 
Health Insurance Portability and 

Accountability Act of 1996, 15, 86 
Homeland Security Act of 2002, 87 
international treaties and standards, 93-94 
Canadian Personal Information 
Protection and Electronic 
Documents Act, 93 
Council of Europe Convention on 
Cybercrime, 93 

EU Data Privacy Protection Act, _93 
existing laws, summary of, 94 
National Labor Relations Act, 88 
Privacy Act, 15, 85, 282 
Privacy Protection Act, 102 
Public Information Act (Freedom of 
Information Act), .86. 

Sarbanes-Oxley Act, _1_5 
statutes, 85—91 

criminal infringement, 88 
federal background screening laws, 88 
federal statutes, 85—89 
Oklahoma Social Networking and Social 
Media Policy and Standards, .90. 
state statutes, 89-91 

Title VII of the Civil Rights Act 1996, 88, 

130 

Uruguay Round Agreements Act, 88 
USA Patriot Act, 86 
Legal and policy context, 71—73 
brick-and-mortar business, 72 
collection of user data, 72 
free services, 171 
Google, 72 

intentions driving search engine providers, 71 
Internet service providers, 71 
US Congress, 171 
Legislation, see Laws 
LexisNexis, 212, 229 

Liability, privacy, and management issues, 75-82 
accountability for employees, 79—81 
arrest of FBI agents, 80 
brain trust, exodus of, _81_ 


Copyrighted material 







296 ■ Index 


espionage cases, 79 
felony crime, 

personnel management, _8I1 
liability for employers, 77-79 

applicant background investigations, 78 
areas of concern, 78 
avoiding serious liability, 78 
questioning of candidates, 79 
virtual identities, 79 
liability for service providers, 75—77 
authorized use policy, 76 
corporate contraband, _ZZ 
courts, 76 

“face time” video telephone calls, 75 
government agencies, 75 
“one-stop shopping” firms, 75 
role of commercial Internet portal, 75 
telecommunications networks, 76 
Linkedln, _53* 200 
Litigation, 97-116 

admissibility of electronically generated and 
stored evidence, 111—112 
electronically stored information, 111 
memos guidance, 111 
anonymity, 99-100 
City of San Diego v. Roe , 99 
Cromer v. Lexington-Fayette Urban County 
Government , 108 
Davis v. Gracey , 102 
Doe v. 2TheMart.com , 105 
due process, 103—105 
analysis, 103 

authentication of online information, 

105 

central issues, 103 
comment, 103 
court ruling, 104-105 
Endicott Interconnect Technologies I?tc. v. 

National Labor Relations Board , 106 
expectation of privacy, 100—103 
courts two-part test, 100 
lower court decisions, 100 
Supreme Court, 101 
US Court of Appeals for the Armed 
Forces, 101 

Garcetti v. Cebalios , 99, 106 
Griffin v. State of Maryland, 99 
Internet privacy for the twenty-first century, 
108-110 
conflict, 109 
“false” pseudonym, 110 


first US cyber bullying case, 110 
relevant issues, 109 
Internet search litigation, 97-99 
cases, 98-99 

decisions against employers, 98 
employee claim, 97 
US Government employee, 97 
invasion of privacy torts, 107 
Konop v. Hawaiian Airlines, 102 
libel/defamation, 105-106 
anonymous identity, 106 
comment, 106 
court criteria, 105 
employee dismissal, 106 
Lorraine v. MarkelAmerican Insurance Co., 
Ill 

Oja v. US Army Corps of Engineers* 107 
Omnibus Crime Control and Safe Streets 
Act, 100 

Pietrylo et al. v. Hillstone Restaurant Group, 
28 

Raytheon Company v. John Does 1—21, 104 
sanctions for public postings, 107—108 
Stacy Snyder v. Millersville University, 108 
trends and legal challenges to investigative 
searching, 112 

United States v. Charbonneau, 102 
United States v. Ziegler, 102 
Live Journal, 218 

Lorraine v. Markel American Insurance Co., Ill 

M 

Malware, 174 
Mama.com, 215 
Mamma.com, 205 

Management issues, see Liability, privacy, and 
management issues 
MapQuest, 194 
Meetup.com, 201 

Metasearch engines, advantage of using, 195 
Microsoft 

Bing, 10, 194 
e-mail, 137 

options for website owners, 220 
Middleware, 225, 227-228 
Mobile devices, proliferation of, 120 
Mobile tools, 31 

Model cybervetting investigative guidelines, 
261-267 

authorized Internet search (cybervetting) 
personnel, 265-266 


Copyrighted material 






Index ■ 297 


adverse findings, 266 
ethics, 265 

important elements, 266 
definitions to consider, 266 
enterprise strategy, 261-263 
authorized use policy, 261 
norms, 261 

reason for cybervetting, reiteration of, 

262 

unrestrictive approach, 262 
model Internet search guidelines, 263—265 
conducting of Internet searches, 263 
decision making, 265 
Equal Employment Opportunity law, 
264 

guidelines, 263 

results of Internet searches, 263 
Model Internet investigation policy, 269-276 
application procedures and forms, 271-272 
argument, 272 
attorney belief, 271 
privacy, 271 

recommended information, 271 
confidentiality, 273 
disciplinary action, 274 
Equal Opportunity Employment Act, 270 
ethics in investigations, 273 
higher-risk candidates, 270—271 
key considerations, 270 
legal issues, 272—273 

conditional offer of employment, 272 
Fair Credit Reporting Act, 272 
honesty of candidate, 272 
illegal activities detected, 273 
options, 272 

model forms for candidates, 274-275 
consent, 275 
notice, 274 
questionnaire, 275 
personal pursuits, 269 
references, 269 

Model Internet posting policy, 277—279 
anonymous slander, 277 
awareness and training measures, 278 
contractual obligations, 278 
enterprise reputation, 278 
First Amendment right, 279 
statement, 277-278 
Monittor, 218 
“Most wanted” poster, 213 
MyLife, 218 
MySpace, 53, 136, 199 


_N_ 

National Association of Professional 

Background Screeners, 131-132 
competition, 132 
FCRA standards, 132 
purpose, 131 
standards, 131 

National Institute of Standards and Technology 
(NIST), 88 

National Labor Relations Act (NLRA), 88 
National Labor Relations Board (NLRB), 106 
National Security Agency (NSA), 86 
National Student Clearinghouse, 222 
NctworkSolutions.com, options for website 
owners, 220 
News media, 150 
Nexis.com, 215 

NIST, see National Institute of Standards and 
Technology 

NLRA, see National Labor Relations Act 

NLRB, see National Labor Relations Board 
NSA, see National Security Agency 

o 

Obama, Barack, 124 
Oja v. US Army Corps of Engineers. 107 
Oklahoma Social Networking and Social Media 
Policy and Standards, 90 
Omnibus Crime Control and Safe Streets Act, 
100 

“One-stop shopping” firms, 75 
Online role-playing games, 33, 127 
Open-source intelligence policy, Internet 
vetting and, 149—156 
abuse, 149 

information assets protection, 155—156 
authorized users, 155 
core tenets, 155 
individual privacy, 155 
legal step, 156 

legal and ethical limitations, 150-152 
anonymity of users, 151 
categories of stored information, 152 
entertainment and social networking 
sites, 151 

ethical standards, 152 
internal applications, 150 
Internet hosts, 150 
Internet retailers, 151 


Copyrighted material 





298 ■ Index 


news media, 150 
true facts, 150 
need for policy, 149 
policy, 153-155 

best-available intelligence assessments, 

153 

civil litigation, 154 
false positives, 154 
googling restriction, 153 
indiscretion in Internet postings, 154 
legal departments, 153 
principles, 153 

Society for Human Resource 
Management, 154 

Open-source intelligence process, 163-166 
accuracy of information, 164 
attribution of posting, 165 
authoritativeness of the source, 165 
client’s requirements, 163 
eyewitness reports, 164 
misbehavior, 163 
principles of research, 164 
reporting of results, 166 
verification of online data, 165 
Organized Internet crime, 42 

P 

Page, Larry, 10 
PalTalk.com, 206 
Paper trail, 238 

Pay-as-you-go online service, 180 
PDF, see Portable Document Format 
PeopleFinders, 218 
PeopleSmart, 218 
Photobucket, 52 

Pietrylo et al. v. Hillstone Restaurant Group , 98 
Pinterest, 53 
Pipl, 218 

Pirated goods, 249 

Planning, see Preparation and planning 
POGO (Project on Government Oversite) 
website, 213 

Policy, see Model Internet investigation policy; 

Model Internet posting policy 
Porn-social sites, 201 

Portable Document Format (PDF), 232, 264 
Posting policy, see Model Internet posting policy 
PPA, see Privacy Protection Act 
Preparation and planning, 179—187 
fee-based service, 180 
incomplete search, 181 


invisible Web, 181 
keywords, 179 
library, 182-184 

confidentiality, 183 
reference transactions, definition of, 
183 

search tips, 183 
today’s library, 183 
pay-as-you-go online service, 180 
reverse directories, 179 
scope notes, 184—186 

constraints imposed on searchers, 184 
invisible Web, 185 
planning, 186 
search strategies, 185 
specialized activities, 184 
starting point, 185 
time and effort, 184 
Pretexting, 234 

Prime Time Publishing Company, 213 
Privacy Act, 15, 85, 282 
Privacy issues, see Liability, privacy, and 
management issues 
Privacy Protection Act (PPA), 102 
Procedures for internet searching, 169—175 
criteria, 170—172 
analogy, 170 

ethical responsibilities, 172 
inept googling, 171 
metaphor, 171 
philosophical baseline, 170 
reliability of sources, standards for, 171 
tipping point, 171 
types of intelligence, 170 
nature of data, 169 
necessary controls, 169 
security, 172-175 
botnets, 173 
browser choices, 174 
chain of custody, 174 
malicious code, 172 
malware, 174 

organized criminal groups, 173 
porn, 173 

social engineering, 173 
viruses, prevalence of, 173 
standard methodology, 175 
Professional standards and the Internet, 
127-139 

ASIS standards, 128-131 
background checking, 128 
CareerBuilder study, 129 


Copyrighted material 





Index ■ 299 


government records, 130 
identification and attribution, 131 
job requirements, 128 
risk to privacy, 129 

unlawful discrimination in hiring, 128 
Association of Internet Researchers, 

132-135 

assumptions, 133 
ethical pluralism approach, 132 
fair game, 134 
guidelines, 132-133 
legal requirements, 133 
public forum participants, 134 
questions of disclosure, 132 
utilitarian, 134 
valuable concepts, 133 
virtual worlds, 132 
bottom line, 138 
guidance, 127 

inside and outside the workplace, 136-137 
example, 136 
fundamental mistake, 136 
millennial employees, 137 
monitoring, 136 
librarians, 135-136 
approach, 135 
indexing, 135 

pathway to publications, 136 
National Association of Professional 

Background Screeners, 131—132 
competition, 132 
FCRA standards, 132 
purpose, 131 
standards, 131 

online role-playing games, 127 
reputational risk, public affairs, 137 
“anonymous” identities, 137 
false reports, 137 
irresponsible employees, 137 
SEC regulations, 137 
trade media, 137 
Programming languages, 189 
Prosecutorial choices, 43 
Protest groups, 201 
Public Information Act (Freedom of 
Information Act), .86. 

Q 

Quality control, 166—167 
accuracy, 166 

common mistake, 166-167 


contents of findings, 166 
fairness, 167 
timeliness, 167 

R 

Radaris, 218 

Raytheon Company v. John Does 1—21 , 104 

Raytheon Digital Information Gateway, 227 

Real-time spidering, 194 

Reference transactions, definition of, 183 

Reverse directories, 179 

Reverse IP address lookup service, 221 

Role-playing games, 9 

s 

Sarbanes-Oxley Act, 15 
Search techniques, 189-208 
browser, 190-191 

popularity of browsers, 190 
URL storage, 191 
zombie, 191 

finding search engines, 195 
Internet content, 189-190 

Domain Name System, 190 
HyperText Markup Language, 189 
programming languages, 189 
stock market updates, 189 
types, 190 

metasearch engines, 195 
advantage of using, 195 
disadvantage, 195 
search engine, 191-195 
AltaVista, 194 
Ask.com, 194 
Bing, 194 
cached pages, 193 
decision engine, 194 
Gigablast, 194 
Google hacks, 193 
real-time spidering, 194 
refinement of search results, 194 
SimplyHired.com, 194 
search terms, 196—197 
algorithms, 196 

information not indexed by search 
engines, 196 
normal impulse, 197 
references not identifiable, 196 
time factor, 197 
variations of names, 196 


Copyrighted material 


300 ■ Index 


social and commercial searching, 197—206 
activism, 201 
AOL chat, 206 
blogs, 205 
chat, 205^206 
competition, 203 
contentious issues, 205 
Craigslist, 203 
directories, 204 
e-commerce sites, 202-203 
Facebooks authorized use policy, 198 
Geolocation-based services, 203 
googling a roughly worded question, 
204 

IRC users, 206 
Linkedln, 200 
MySpace, 199 
porn-social sites, 201 
protest groups, 201 
publicity, 199 

search software providers, 205 
social networking sites, 197—202 
true name searches, 199 
webcams, 206 
YouTube, 199 

SEC, see Securities and Exchange Commission 
Securities and Exchange Commission (SEC) 
filings, 144 
regulations, 137 
ShoutMix.com, 206 

SI IRM, see Society for I luman Resource 
Management 
SimplyHircd.com, 194 
Slander, anonymous, 277 
Snap.com, 194 

Snowden, Edward, 68, 80, 86, 143 
Social contract, 63 
Social engineering, 27, 173 
Social media vetting, studies of, 59 
Social searching, see Search techniques 
Society for Human Resource Management 
(SHRM), 154 

Sources (finding), 209-224 

business-related sources, 214—215 
Better Business Bureau, 214 
caution, 214 

deep web business search, 214 
Yahoo business directory, 214 
commercial database providers, 222—223 
hard economic times, 223 
manual searches, 223 
misbehavior, types of, 222 


personal disputes, 223 
registered clients, 222 
database, 209-210 
disclaimers, 209 
e-mail, 221-222 
analysis, 222 

identifying “anonymous” e-mailers, 221 
message forwarding, 221 
message header, 221 
ploy, 222 

reverse IP address lookup service, 221 
looking up subscribers, 219—221 
AnyWho.com, 219 
options for website owners, 220 
Whitepages.com, 219 
Zabasearch.com, 219 
news, 215 

searching by subscription, 215 
strategy, 215 

other government-related sources, 213-214 
CuideStar, 213 
Health Guide USA, 213 
POGO website, 213 
Prime Time Publishing Company, 213 
World Bank, 213 

state, county, and local governments, 

211-213 

fees, 212 
LexisNexis, 212 
local record, 213 
“most wanted” poster, 213 
reference works, 212 
types of records, 212 
vital records, 211 
US government, 210-211 

post-SeptemberJJ^ (2001) online access, 

210 

sites for finding misbehavior, 210 

Web 2.0, 215-219 

aggregator websites, 218 
archival searches, 218 
commercial search engines, 218 
examples, 215 

instant messaging services, 216 
popularity, 216 
proclivity of users, 217 
real-time tools, 218 
search engines, 218 
value of online collaboration, 217 
web-based communities, 215 
Spokeo, 218 

Stacy Snyder v. Millersville University , 108 


Copyrighted material 





Index ■ 301 


Standards, see Professional standards and the 
Internet 

Studies (Internet search), 49-57 
academic study, 50-53 

derogatory findings, 51-52 
guidelines, 50 
lack of candor, 53 
most frequented websites, 53 
participant information, 51 
study summary, 51—53 
white paper, 52 
best practices, 49 

iNameCheck cybervetting case study, 54—57 
Adjudicative Guidelines, 54 
derogatory findings, 54, 55 
implications of review, 56 
important observations, 56 
serious risk, 56 
questions, 49-50 
StumbleUpon, ^3 

T 

Talkcity.com, 206 

Techniques, see Search techniques; Tools, 
techniques, and training 
Technospeak, 62 
TeenChat.com, 206 
Telephone directory, Internet as, 16 
ThePlanet.com, options for website owners, 220 
Third-party postings, example of, 18 
ThompsonReuters.com, 215 
Time/date stamp, 160 

Title VII of the Civil Rights Act 1996, 88, 130 
Tools, techniques, and training, 157-168 
analytical issues, 160 
“facts” found online, 159 
important decisions, 158 
key issues in investigations, 161 
open-source intelligence process, 163—166 
accuracy of information, 164 
attribution of posting, 165 
authoritativeness of the source, 165 
client’s requirements, 163 
eyewitness reports, 164 
misbehavior, 163 
principles of research, 164 
reporting of results, 166 
verification of online data, 165 
quality control, 166—167 
accuracy, 166 

common mistake, 166-167 


contents of findings, 166 
fairness, 167 
timeliness, 167 

reliable sources found on Internet, 159 
results, 157 
time/date stamp, 160 
training analysts, 162-163 
library, 163 

logging of activities, 162 
policies established, 162 
training, 162 
user requirements, 157 
verifying information found on Internet, 

159 

Trackle, 218 
Trade media, 137 

Training, see Tools, techniques, and training 

Traitor, insider as, 67 

True facts, 150, 286 

Tumblr, 53 

Twitter, 27, 53, 218 

U 

Uniform resource locator (URL), 160, 182, 223 
United States v. Charbonneau , 102 
United States v. Ziegler , 102 
URL, see Uniform resource locator 
Uruguay Round Agreements Act, 88 
USA Patriot Act, .86. 

US Comptroller of the Currency, 89 
US Customs and Border Protection, 255 
User accountability policy, .64. 

User passwords,^. 

US Federal Rules of Civil Procedure, 154 
U.S. Government information system, 
conditions of, 121 
US legislative proposals, 94 

V 

Virtual identities, 79, 244 
Viruses 

prevalence of, 173 
prevention of, 62—63 
Vital records, 211 

w 

Web 2.0, 215-219 

aggregator websites, 218 
archival searches, 218 


Copyrighted material 





302 ■ Index 


commercial search engines, 218 
examples, 215 

instant messaging services, 216 
popularity, 216 
proclivity of users, 217 
real-time tools, 218 
search engines, 218 
value of online collaboration, 217 
web-based communities, 215 
Webcams, 206 
Web crawling, 228 
White-hat hackers, 44, 257 
Whitcpages.com, 219 
Whole person concept, 118 
Wiki, caution in using, 214 
Windows Live, 27 
Wireless telephone networks, 27 
Work-related googling, 237 
World Bank, 213 
Worms, prevalence of, 173 


Y 

Yahoo, 10, 27, 53, 104 

agreement with Microsoft, 194 

business directory, 214 

catalog of search engines and directories, 

195 

e-mail, 28, 137, 221 
intentions driving, 71 
options for website owners, 220 
“term-and-conditions” agreement, 104 
Yauba, 218 
Yippy.com, 195 
YouTube, 52, 53, 199 

Z 

Zabasearch, 218, 219 
Zombie, 191, 251 
Zoom info, 218 


Copyrighted material 






FORENSICS & CRIMINAL JUSTICE 


Cybervetting Second Edition 


Researching an individual’s, firm’s, or brand’s online presence has become standard practice 
for many employers, investigators, and intelligence officers, including law enforcement. 
Countless companies and organizations are implementing their own policies, procedures, 
and practices for Internet investigations, cybervetting, and intelligence. Cybervetting: 
Internet Searches for Vetting, Investigations, and Open-Source Intelligence, Second 
Edition examines our society’s growing dependence on networked systems, exploring how 
individuals, businesses, and governments have embraced the Internet, including social 
networking for communications and transactions. It presents two previously unpublished 
studies of the effectiveness of cybervetting, and provides best practices for ethical 
cybervetting, advocating strengthened online security. 

Relevant to investigators, researchers, legal and policy professionals, educators, law 
enforcement, intelligence, and other practitioners, this book establishes the core skills, 
applicable techniques, and suitable guidelines to greatly enhance their practices. The book 
includes the outcomes of recent legal cases relating to discoverable information on social 
media that have established guidelines for using the Internet in vetting, investigations, and 
open-source intelligence. It outlines new tools and tactics, and indicates what is and isn’t 
admissible under current laws. It also highlights current cybervetting methods, provides legal 
frameworks for Internet searching as part of investigations, and describes how to effectively 
integrate cybervetting into an existing screening procedure. 

What’s New in the Second Edition: 

• Presents and analyzes results of two recent studies of the effectiveness of cybervetting 

• Updates key litigation trends, investigative advances, HR practices, 
policy considerations, social networking, and Web 2.0 searching 

• Includes the latest tactics and guidelines for cybervetting 

• Covers policy, legal issues, professional methodology, and the operational techniques 
of cybervetting 

• Provides a strengthened rationale, legal foundation, and procedures for 
successful cybervetting 

• Contains compelling evidence that trends in legal, policy, and procedural developments 
argue for early adoption of cybervetting 

• Presents new strategies and methodologies 

Cybervetting: Internet Searches for Vetting, Investigations, and Open-Source 
Intelligence, Second Edition is a relevant and timely resource well suited to businesses, 
government, non-profits, and academia looking to formulate effective Internet search 
strategies, methodologies, policies, and procedures for their practices or organizations. 

K232M7 



CRC Press 

Taylor & Francis Group 
an informa business 


6000 Broken Sound Parkway, NW 
Suite 300, Boca Raton, FL 33487 
711 Third Avenue 
New York, NY 10017 
2 Park Square, Milton Park 
Abingdon, Oxon OX14 4RN, UK 



www.crcpress.com 


www.crcpress.com 












































Copyrighted material